中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
openclaw-usage-dashboard
Interactive local dashboard for OpenClaw API usage — shows token consumption, request counts, and system health
OpenClaw Usage Dashboard is a legitimate, well-audited local monitoring tool with zero external network calls, hardcoded-only shell commands, comprehensive XSS protection, and secret sanitization — no malicious behavior detected.
Skill Nameopenclaw-usage-dashboard
Duration34.7s
Enginepi
Safe to install
Safe to use. No action required.

Findings 2 items

Severity Finding Location
Low
Dead code: unused sanitization functions Doc Mismatch
sanitizeEntry() and sanitizeText() are defined but never called. They represent defensive code that was added but not wired into the data pipeline. Not a security risk, but dead code.
function sanitizeText(text) { ... } // defined but never used
→ Either wire these into the API response path or remove them to reduce confusion
 server.js:70
Low
Dead code: configInfo variable Doc Mismatch
configInfo is populated by loadConfig() but never referenced in the frontend code.
let configInfo = {};  // full config including primary/fallback model
→ Remove unused variable or implement the feature it was prepared for
 dashboard.html:264
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned Reads ~/.openclaw/agents/*/sessions/*.jsonl — declared in SKILL.md requirements
Shell WRITE READ ✓ Aligned execSync only for hardcoded system commands (vm_stat, df, powershell, openclaw v…
Network NONE NONE Server binds to 127.0.0.1 only; no external network calls
Environment NONE READ ✓ Aligned Only reads USERPROFILE/homedir for path resolution; no credential harvesting
2 findings
🔗
Medium External URL 外部 URL
http://www.w3.org/2000/svg%22
dashboard.html:7
🔗
Medium External URL 外部 URL
https://clawhub.com
dashboard.html:269

File Tree

5 files · 81.2 KB · 1719 lines
HTML 1f · 856L JavaScript 1f · 641L Markdown 3f · 222L
├─ 📝 AUDIT.md Markdown 115L · 6.3 KB
├─ 📄 dashboard.html HTML 856L · 48.5 KB
├─ 📝 README.md Markdown 62L · 1.9 KB
├─ 📜 server.js JavaScript 641L · 22.7 KB
└─ 📝 SKILL.md Markdown 45L · 1.8 KB

Security Positives

✓ Zero external network calls — all server traffic is localhost only
✓ All shell commands are hardcoded with no user input interpolation (execSync with fixed strings only)
✓ Comprehensive XSS protection: esc() escapes all 5 HTML special chars including single quotes
✓ SECRET_PATTERNS regex array sanitizes API keys, Bearer tokens, and credential patterns from parsed logs
✓ getConfig() extracts ONLY model metadata from openclaw.json — credentials are never accessed or exposed
✓ Hard timeouts (2-5s) on all execSync calls with try/catch fallbacks
✓ Memory budget (100MB) and session limits (2000 files, 365 days) prevent resource exhaustion
✓ Thorough pre-release audit documented in AUDIT.md (9 issues found and fixed)
✓ Zero npm dependencies — no supply chain attack surface
✓ CSP headers, X-Frame-Options DENY, X-Content-Type-Options nosniff on all responses
✓ CORS restricted to localhost:PORT only
✓ Session file size limit (10MB per file) prevents malicious log files from blocking the process
✓ Uses spawn with array args (not shell) for browser auto-open — no shell injection risk