openclaw-backups/skills/openclaw-dashboard

OpenClaw Dashboard (Public)

Mobile-first operations dashboard for OpenClaw, focused on sessions, costs, cron, watchdog, and day-to-day operations.

This public repository is sanitized and simplified for sharing.

Install via ClawHub

clawhub install openclaw-dashboard
cd ~/.openclaw/workspace/skills/openclaw-dashboard
cp env.example .env
node api-server.js

Then open http://localhost:18791

Quick Start (from source)

git clone https://github.com/JonathanJing/openclaw-dashboard.git
cd openclaw-dashboard
cp env.example .env
# edit .env with your own values
node api-server.js

Then open:

• http://localhost:18791/

Required Configuration

Default install has no hard key requirement.

• OPENCLAW_AUTH_TOKEN is optional but recommended for protected/local-auth usage.
• gateway.authToken is treated as optional capability context in skill metadata.

Use env.example (ClawHub package) or .env.example (source checkout) for optional overrides.

Compliance Defaults (Important)

This public package now ships with restricted defaults:

• Dashboard binds to localhost by default (DASHBOARD_HOST=127.0.0.1)
• No automatic loading of ~/.openclaw/keys.env unless OPENCLAW_LOAD_KEYS_ENV=1
• Provider org audit endpoint disabled unless OPENCLAW_ENABLE_PROVIDER_AUDIT=1
• Config file view endpoint (/ops/config) disabled unless OPENCLAW_ENABLE_CONFIG_ENDPOINT=1
• Absolute-path attachment copy mode disabled unless OPENCLAW_ALLOW_ATTACHMENT_FILEPATH_COPY=1
• Even when enabled, attachment copy only allows repo-local paths by default
• Extra source paths require explicit flags: OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_TMP=1, OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_WORKSPACE=1, and/or OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_OPENCLAW_HOME=1
• User-scoped systemctl restart disabled unless OPENCLAW_ENABLE_SYSTEMCTL_RESTART=1
• Frontend no longer sends auth token in query parameters for API calls
• Cron/task text sent to hooks is sanitized and treated as untrusted payload
• Mutating operations are disabled unless OPENCLAW_ENABLE_MUTATING_OPS=1 and request is from localhost
• server-monitor.html now uses integrated authenticated /metrics endpoint

These defaults reduce accidental secret ingestion and over-broad local file access.

Core Files

• api-server.js: backend API and operations logic
• agent-dashboard.html: single-file frontend UI
• SKILL.md: repository-level agent instructions

Security Notes

• No real tokens should be committed.
• Keep secrets in local environment files only.
• Rotate tokens immediately if exposure is suspected.

VirusTotal Compliance

Run a pre-release hash and upload workflow before publishing:

shasum -a 256 api-server.js agent-dashboard.html SKILL.md README.md env.example > vt-hashes.txt

Then submit these hashes/files to VirusTotal and attach the report IDs to your release notes.
If any file is flagged, block release and investigate before publishing.

Publish to ClawHub

This repository is prepared as a ClawHub skill package with root-level SKILL.md.

clawhub publish . \
  --slug openclaw-dashboard \
  --name "OpenClaw Dashboard" \
  --version 1.0.9 \
  --changelog "Risk-surface reduction: localhost bind default, no token-in-query API usage, tighter attachment copy defaults, and integrated /metrics endpoint."

If your local version changes, update both:

• SKILL.md frontmatter version
• clawhub publish --version

License

MIT