Skills
skills/aradotso/hermes-skills/openclaw-bot-review-dashboard/Gen Agent Trust Hub

openclaw-bot-review-dashboard

Fail

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill focuses on reading and processing ~/.openclaw/openclaw.json, which is documented to contain highly sensitive credentials including api_key (e.g., OpenAI keys), app_id, and app_secret (e.g., Feishu/Discord credentials).
  • [EXTERNAL_DOWNLOADS]: The installation process requires cloning a repository from an untrusted source (github.com/xmanrui/OpenClaw-bot-review) and running npm install, which can execute arbitrary scripts during the package installation phase.
  • [COMMAND_EXECUTION]: The skill provides a series of shell commands for installation, deployment, and troubleshooting, including commands like cat and grep used to inspect files containing sensitive credentials.
  • [DATA_EXPOSURE]: The dashboard's core functionality involves reading local session data and configuration files from the home directory and exposing their contents—including token usage and bot configurations—via a web interface.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 17, 2026, 04:22 PM
Security Audit — agent-trust-hub — openclaw-bot-review-dashboard