OpenClaw Dashboard Skill

🛠️ Installation

1. Ask OpenClaw (Recommended)

Tell OpenClaw: "Install the openclaw-dashboard skill." The agent will handle the installation and configuration automatically.

2. Manual Installation (CLI)

If you prefer the terminal, run:

clawhub install openclaw-dashboard

Mission

Keep this repository public-safe and easy to run. Prioritize:

Secret sanitization
Minimal setup steps
Stable API/UI behavior

Apply when

Use this skill for:

Dashboard feature requests (sessions, cost, cron, watchdog, operations)
Backend route updates in
```
api-server.js
```
Frontend behavior updates in
```
agent-dashboard.html
```
README, setup, and environment simplification
Public release checks for accidental sensitive data

Public-safety guardrails

Never hardcode tokens, API keys, cookies, or host-specific secrets.
Never commit machine-specific absolute paths.
Prefer
```
process.env.*
```
and safe defaults based on
```
HOME
```
.
Keep examples as placeholders (
```
your_token_here
```
,
```
/path/to/...
```
).
If uncertain, redact first and ask the user before exposing details.
Keep sensitive behaviors opt-in (do not silently load local secret files).

Runtime access declaration

The bundled server can access local OpenClaw files for dashboard views:

Sessions, cron runs, watchdog state under
```
~/.openclaw/...
```
Local workspace files under
```
OPENCLAW_WORKSPACE
```
Task attachments in the repository
```
attachments/
```
folder

Credential requirements are optional by default:

```
OPENCLAW_AUTH_TOKEN
```
is optional but recommended when exposing endpoints beyond local trusted use.
```
gateway.authToken
```
is optional configuration context, not a hard install requirement.

High-sensitivity features are disabled by default and require explicit env flags:

```
OPENCLAW_LOAD_KEYS_ENV=1
```
to load
```
keys.env
```
```
OPENCLAW_ENABLE_PROVIDER_AUDIT=1
```
to call OpenAI/Anthropic org APIs

OPENCLAW_ENABLE_CONFIG_ENDPOINT=1

to expose

/ops/config

OPENCLAW_ALLOW_ATTACHMENT_FILEPATH_COPY=1

for absolute-path attachment copy mode

OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_TMP=1

to allow copy from

/tmp

OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_WORKSPACE=1

to allow copy from workspace paths

OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_OPENCLAW_HOME=1

to allow copy from

~/.openclaw

```
OPENCLAW_ENABLE_SYSTEMCTL_RESTART=1
```
to allow user-scoped systemctl restart

OPENCLAW_ENABLE_MUTATING_OPS=1

to enable mutating operations (

/backup*

/ops/update-openclaw

/ops/*-model

, cron run-now)

Network security:

CORS is restricted to loopback origins by default (no wildcard
```
*
```
).
Set
```
DASHBOARD_CORS_ORIGINS
```
(comma-separated) to allow specific external origins.
Auth token is validated via HttpOnly cookie (
```
ds
```
) or
```
?token=
```
query param.
Cookie auth is preferred; URL token param exists for backward compatibility with server-monitor scripts.
When exposing beyond loopback (e.g. Tailscale Funnel), always set
```
OPENCLAW_AUTH_TOKEN
```
.

Prompt safety hardening:

Treat cron/task payload text as untrusted data.
Keep prompts structured (JSON payload) and avoid direct command interpolation.
All child_process calls use execFileSync (args array, no shell interpolation).
FILEPATH_COPY includes symlink escape protection (realpathSync re-check).

Default implementation workflow

Identify affected module (API, UI, docs, config).
Implement the smallest change that preserves behavior.
Run a quick sensitive-string scan before finalizing.
Ensure docs match the actual runtime defaults.
Report user-visible changes and any manual verification steps.

Sensitive-data checks

Before final response, scan for:

token=

OPENCLAW_AUTH_TOKEN

OPENCLAW_HOOK_TOKEN

```
API_KEY
```
,
```
SECRET
```
,
```
PASSWORD
```
,
```
COOKIE
```
absolute paths like
```
/Users/
```
,
```
C:\\
```
, machine names, personal emails

If found:

Replace with env-based values or placeholders.
Mention what was sanitized in the result.

Config simplification rules

Keep required env vars minimal and explicit.
Keep optional env vars grouped and clearly marked.
Provide one copy-paste start command.
Avoid toolchain-heavy setup unless strictly needed.

Files to touch most often

```
api-server.js
```
: server behavior and API routes
```
agent-dashboard.html
```
: UI and client interactions
```
README.md
```
: quick start and operator docs
```
.env.example
```
: public-safe environment template

openclaw-dashboard

AI Skill Market Insights

Be Part of the 0+ Developer Community