openclaw-usage-dashboard 安全扫描报告 — 可信 | ClawSafe

5 /100

openclaw-usage-dashboard

Interactive local dashboard for OpenClaw API usage — shows token consumption, request counts, and system health

OpenClaw Usage Dashboard is a legitimate, well-audited local monitoring tool with zero external network calls, hardcoded-only shell commands, comprehensive XSS protection, and secret sanitization — no malicious behavior detected.

技能名称openclaw-usage-dashboard

分析耗时34.7s

引擎pi

✓

可以安装

Safe to use. No action required.

安全发现 2 项

严重性	安全发现	位置
低危	Dead code: unused sanitization functions 文档欺骗 sanitizeEntry() and sanitizeText() are defined but never called. They represent defensive code that was added but not wired into the data pipeline. Not a security risk, but dead code. `function sanitizeText(text) { ... } // defined but never used` → Either wire these into the API response path or remove them to reduce confusion	`server.js:70`
低危	Dead code: configInfo variable 文档欺骗 configInfo is populated by loadConfig() but never referenced in the frontend code. `let configInfo = {}; // full config including primary/fallback model` → Remove unused variable or implement the feature it was prepared for	`dashboard.html:264`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Reads ~/.openclaw/agents//sessions/.jsonl — declared in SKILL.md requirements
命令执行	`WRITE`	`READ`	✓ 一致	execSync only for hardcoded system commands (vm_stat, df, powershell, openclaw v…
网络访问	`NONE`	`NONE`	—	Server binds to 127.0.0.1 only; no external network calls
环境变量	`NONE`	`READ`	✓ 一致	Only reads USERPROFILE/homedir for path resolution; no credential harvesting

2 项发现

🔗

中危外部 URL 外部 URL

http://www.w3.org/2000/svg%22

dashboard.html:7

🔗

中危外部 URL 外部 URL

https://clawhub.com

dashboard.html:269

目录结构

5 文件 · 81.2 KB · 1719 行

HTML 1f · 856L JavaScript 1f · 641L Markdown 3f · 222L

├─ 📝 AUDIT.md Markdown 115L · 6.3 KB

├─ 📄 dashboard.html HTML 856L · 48.5 KB

├─ 📝 README.md Markdown 62L · 1.9 KB

├─ 📜 server.js JavaScript 641L · 22.7 KB

└─ 📝 SKILL.md Markdown 45L · 1.8 KB

安全亮点

✓ Zero external network calls — all server traffic is localhost only

✓ All shell commands are hardcoded with no user input interpolation (execSync with fixed strings only)

✓ Comprehensive XSS protection: esc() escapes all 5 HTML special chars including single quotes

✓ SECRET_PATTERNS regex array sanitizes API keys, Bearer tokens, and credential patterns from parsed logs

✓ getConfig() extracts ONLY model metadata from openclaw.json — credentials are never accessed or exposed

✓ Hard timeouts (2-5s) on all execSync calls with try/catch fallbacks

✓ Memory budget (100MB) and session limits (2000 files, 365 days) prevent resource exhaustion

✓ Thorough pre-release audit documented in AUDIT.md (9 issues found and fixed)

✓ Zero npm dependencies — no supply chain attack surface

✓ CSP headers, X-Frame-Options DENY, X-Content-Type-Options nosniff on all responses

✓ CORS restricted to localhost:PORT only

✓ Session file size limit (10MB per file) prevents malicious log files from blocking the process

✓ Uses spawn with array args (not shell) for browser auto-open — no shell injection risk