{ "schemaVersion": "1.0", "item": { "slug": "security-dashboard", "name": "Security Dashboard", "source": "tencent", "type": "skill", "category": "其他", "sourceUrl": "https://clawhub.ai/vegasbrianc/security-dashboard", "canonicalUrl": "https://clawhub.ai/vegasbrianc/security-dashboard", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/security-dashboard", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security-dashboard", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "public/index.html", "scripts/check-security.sh", "scripts/install.sh", "scripts/publish.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/security-dashboard" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/security-dashboard", "agentPageUrl": "https://openagent3.xyz/skills/security-dashboard/agent", "manifestUrl": "https://openagent3.xyz/skills/security-dashboard/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-dashboard/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Security Dashboard Skill", "body": "Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure." }, { "title": "Features", "body": "OpenClaw Security: Gateway status, binding, authentication, sessions, version tracking\nNetwork Security: Tailscale status, public ports, firewall, active connections\nPublic Exposure: Port binding analysis, dashboard security, exposure level assessment\nSystem Security: Updates, uptime, load, failed login attempts\nSSH & Access: Password auth status, fail2ban, banned IPs, active sessions\nCertificates & TLS: Caddy status, TLS configuration, WireGuard encryption\nResource Security: CPU/memory/disk usage, config file permissions" }, { "title": "1. Install the Skill", "body": "cd /root/clawd/skills/security-dashboard\nsudo ./scripts/install.sh\n\nThis will:\n\nAsk user preference: Run as dedicated user (recommended) or root\nCreate openclaw-dashboard user with limited sudo privileges (if non-root)\nCreate systemd service with security hardening\nConfigure localhost binding (127.0.0.1 only)\nStart the dashboard on port 18791\nEnable auto-start on boot\n\nSecurity Note: Running as a dedicated user with limited sudo is recommended. The dashboard only needs sudo for security checks (fail2ban, firewall, systemctl status) - not full root access." }, { "title": "2. Access the Dashboard", "body": "Localhost only (secure by default):\n\nVia SSH port forwarding:\n\nssh -L 18791:localhost:18791 root@YOUR_SERVER_IP\n\nThen visit: http://localhost:18791" }, { "title": "Start/Stop/Restart", "body": "sudo systemctl start security-dashboard\nsudo systemctl stop security-dashboard\nsudo systemctl restart security-dashboard" }, { "title": "Check Status", "body": "sudo systemctl status security-dashboard" }, { "title": "View Logs", "body": "sudo journalctl -u security-dashboard -f" }, { "title": "API Endpoint", "body": "Get raw security metrics:\n\ncurl http://localhost:18791/api/security | jq" }, { "title": "Security Hardening", "body": "The dashboard follows security best practices to minimize attack surface:" }, { "title": "Dedicated User (Recommended)", "body": "The install script creates a openclaw-dashboard user with limited sudo privileges:\n\n✅ No shell access (/bin/false)\n✅ No home directory\n✅ Only specific sudo commands allowed (fail2ban, firewall, systemctl status)\n✅ Cannot execute arbitrary commands" }, { "title": "Systemd Hardening", "body": "Service runs with security restrictions:\n\nNoNewPrivileges=true # Cannot escalate privileges\nPrivateTmp=true # Isolated tmp directory\nProtectSystem=strict # Read-only filesystem except skill dir\nProtectHome=true # No access to /home\nReadWritePaths=... # Only skill directory is writable\nRestart=on-failure # Restart only on crashes (not always)" }, { "title": "Network Binding", "body": "Default: 127.0.0.1 (localhost only)\nNot accessible from network without SSH tunnel or VPN\nNo public exposure risk" }, { "title": "Running as Root (Not Recommended)", "body": "If you choose root during install:\n\n⚠️ Full system access if compromised\n⚠️ No privilege separation\n⚠️ Only suitable for trusted, isolated environments\n\nUse the dedicated user option for production deployments." }, { "title": "Change Port", "body": "Edit /root/clawd/skills/security-dashboard/server.js:\n\nconst PORT = 18791; // Change this\n\nThen restart:\n\nsudo systemctl restart security-dashboard" }, { "title": "Change Binding", "body": "Default: 127.0.0.1 (localhost only - secure)\nAlternative: 0.0.0.0 (all interfaces - only with Tailscale!)\n\nEdit server.js line 445:\n\nserver.listen(PORT, '127.0.0.1', () => {\n // Change '127.0.0.1' to '0.0.0.0' if needed\n});\n\n⚠️ Security Warning: Only bind to 0.0.0.0 if behind Tailscale or firewall!" }, { "title": "Customize Metrics", "body": "Add custom checks in server.js:\n\ngetOpenClawMetrics() - OpenClaw-specific metrics\ngetNetworkMetrics() - Network security\ngetSystemMetrics() - System-level checks\ngetPublicExposure() - Port/binding analysis" }, { "title": "🦞 OpenClaw Security", "body": "Gateway running/stopped status\nBinding configuration (loopback/public)\nAuth token length and mode\nActive sessions + subagents\nSkills count\nCurrent version + update availability" }, { "title": "🌐 Network Security", "body": "Tailscale connection status + IP\nPublic ports count\nFirewall status (UFW/firewalld)\nActive TCP connections" }, { "title": "🌍 Public Exposure", "body": "Exposure level (Excellent/Minimal/Warning/High)\nPublic port details (service names)\nKanban board binding\nSecurity dashboard binding\nOpenClaw gateway binding\nTailscale active/inactive\nSecurity recommendations" }, { "title": "🖥️ System Security", "body": "Updates available\nServer uptime\nLoad average\nFailed SSH logins (24h)\nRoot processes count" }, { "title": "🔑 SSH & Access Control", "body": "SSH service status\nPassword authentication (enabled/disabled)\nfail2ban status\nBanned IPs count\nActive SSH sessions" }, { "title": "📜 Certificates & TLS", "body": "Caddy status\nPublic TLS enabled/disabled\nTailscale WireGuard encryption" }, { "title": "📊 Resource Security", "body": "CPU usage percentage\nMemory usage percentage\nDisk usage percentage\nConfig file permissions (should be 600)" }, { "title": "Security Alerts", "body": "Dashboard generates real-time alerts:\n\nCritical (Red):\n\nWeak gateway token (< 32 chars)\nSSH password authentication enabled\nInsecure config permissions (not 600)\nFirewall inactive (UFW/firewalld not running)\nfail2ban inactive (SSH brute-force protection disabled)\n\nWarning (Yellow):\n\nTailscale disconnected\n20+ system updates available\n10+ failed login attempts in 24h\nDisk > 80% full\n\nInfo (Blue):\n\nGateway exposed without Tailscale\nNon-standard configurations" }, { "title": "Morning Briefing", "body": "Add security status to morning report:\n\ncurl -s http://localhost:18791/api/security | jq '.status'" }, { "title": "Heartbeat Checks", "body": "Monitor for critical alerts:\n\ncurl -s http://localhost:18791/api/security | \\\n jq '.alerts[] | select(.level == \"critical\")'" }, { "title": "Alerting Integration", "body": "Pipe alerts to notification systems:\n\n./scripts/check-alerts.sh | xargs -I {} notify-send \"Security Alert\" \"{}\"" }, { "title": "Architecture", "body": "Backend: Node.js HTTP server\nFrontend: Vanilla JavaScript (no frameworks)\nPort: 18791 (configurable)\nBinding: 127.0.0.1 (localhost only)\nService: systemd unit\n\nFiles:\n\nserver.js - Main backend (metrics collection + API)\npublic/index.html - Dashboard UI\nlib/ - Shared utilities (if needed)" }, { "title": "Dependencies", "body": "Node.js (v18+)\nsystemctl - Service management\nss - Socket statistics\nufw or firewalld - Firewall check\ntailscale - VPN status (optional)\nfail2ban - Ban tracking (optional)\nopenclaw - Gateway monitoring\n\nAll dependencies are standard Linux utilities except OpenClaw." }, { "title": "Dashboard not loading", "body": "Check service status:\nsudo systemctl status security-dashboard\n\n\n\nCheck logs:\nsudo journalctl -u security-dashboard -n 50\n\n\n\nVerify port is listening:\nss -tlnp | grep 18791\n\n\n\nTest API directly:\ncurl http://localhost:18791/api/security" }, { "title": "Gateway Status \"Unknown\"", "body": "Verify OpenClaw gateway is running:\npgrep -f openclaw-gateway\n\n\n\nCheck OpenClaw config exists:\ncat ~/.openclaw/openclaw.json" }, { "title": "Metrics showing \"Unknown\"", "body": "Commands may require sudo permissions\nCheck script execution permissions\nVerify paths exist (sessions, skills, etc.)" }, { "title": "Uninstall", "body": "sudo systemctl stop security-dashboard\nsudo systemctl disable security-dashboard\nsudo rm /etc/systemd/system/security-dashboard.service\nsudo systemctl daemon-reload\n\nThen remove skill directory:\n\nrm -rf /root/clawd/skills/security-dashboard" }, { "title": "Publishing", "body": "To publish to ClawdHub:\n\nclawdhub publish security-dashboard" }, { "title": "License", "body": "MIT" }, { "title": "Author", "body": "Created by Erdma for Brian Christner's infrastructure monitoring." } ], "body": "Security Dashboard Skill\n\nReal-time security monitoring dashboard for OpenClaw and Linux server infrastructure.\n\nFeatures\nOpenClaw Security: Gateway status, binding, authentication, sessions, version tracking\nNetwork Security: Tailscale status, public ports, firewall, active connections\nPublic Exposure: Port binding analysis, dashboard security, exposure level assessment\nSystem Security: Updates, uptime, load, failed login attempts\nSSH & Access: Password auth status, fail2ban, banned IPs, active sessions\nCertificates & TLS: Caddy status, TLS configuration, WireGuard encryption\nResource Security: CPU/memory/disk usage, config file permissions\nInstallation\n1. Install the Skill\ncd /root/clawd/skills/security-dashboard\nsudo ./scripts/install.sh\n\n\nThis will:\n\nAsk user preference: Run as dedicated user (recommended) or root\nCreate openclaw-dashboard user with limited sudo privileges (if non-root)\nCreate systemd service with security hardening\nConfigure localhost binding (127.0.0.1 only)\nStart the dashboard on port 18791\nEnable auto-start on boot\n\nSecurity Note: Running as a dedicated user with limited sudo is recommended. The dashboard only needs sudo for security checks (fail2ban, firewall, systemctl status) - not full root access.\n\n2. Access the Dashboard\n\nLocalhost only (secure by default):\n\nVia SSH port forwarding:\n\nssh -L 18791:localhost:18791 root@YOUR_SERVER_IP\n\n\nThen visit: http://localhost:18791\n\nUsage\nStart/Stop/Restart\nsudo systemctl start security-dashboard\nsudo systemctl stop security-dashboard\nsudo systemctl restart security-dashboard\n\nCheck Status\nsudo systemctl status security-dashboard\n\nView Logs\nsudo journalctl -u security-dashboard -f\n\nAPI Endpoint\n\nGet raw security metrics:\n\ncurl http://localhost:18791/api/security | jq\n\nSecurity Hardening\n\nThe dashboard follows security best practices to minimize attack surface:\n\nDedicated User (Recommended)\n\nThe install script creates a openclaw-dashboard user with limited sudo privileges:\n\n✅ No shell access (/bin/false)\n✅ No home directory\n✅ Only specific sudo commands allowed (fail2ban, firewall, systemctl status)\n✅ Cannot execute arbitrary commands\nSystemd Hardening\n\nService runs with security restrictions:\n\nNoNewPrivileges=true # Cannot escalate privileges\nPrivateTmp=true # Isolated tmp directory\nProtectSystem=strict # Read-only filesystem except skill dir\nProtectHome=true # No access to /home\nReadWritePaths=... # Only skill directory is writable\nRestart=on-failure # Restart only on crashes (not always)\n\nNetwork Binding\nDefault: 127.0.0.1 (localhost only)\nNot accessible from network without SSH tunnel or VPN\nNo public exposure risk\nRunning as Root (Not Recommended)\n\nIf you choose root during install:\n\n⚠️ Full system access if compromised\n⚠️ No privilege separation\n⚠️ Only suitable for trusted, isolated environments\n\nUse the dedicated user option for production deployments.\n\nConfiguration\nChange Port\n\nEdit /root/clawd/skills/security-dashboard/server.js:\n\nconst PORT = 18791; // Change this\n\n\nThen restart:\n\nsudo systemctl restart security-dashboard\n\nChange Binding\n\nDefault: 127.0.0.1 (localhost only - secure)\nAlternative: 0.0.0.0 (all interfaces - only with Tailscale!)\n\nEdit server.js line 445:\n\nserver.listen(PORT, '127.0.0.1', () => {\n // Change '127.0.0.1' to '0.0.0.0' if needed\n});\n\n\n⚠️ Security Warning: Only bind to 0.0.0.0 if behind Tailscale or firewall!\n\nCustomize Metrics\n\nAdd custom checks in server.js:\n\ngetOpenClawMetrics() - OpenClaw-specific metrics\ngetNetworkMetrics() - Network security\ngetSystemMetrics() - System-level checks\ngetPublicExposure() - Port/binding analysis\nDashboard Sections\n🦞 OpenClaw Security\nGateway running/stopped status\nBinding configuration (loopback/public)\nAuth token length and mode\nActive sessions + subagents\nSkills count\nCurrent version + update availability\n🌐 Network Security\nTailscale connection status + IP\nPublic ports count\nFirewall status (UFW/firewalld)\nActive TCP connections\n🌍 Public Exposure\nExposure level (Excellent/Minimal/Warning/High)\nPublic port details (service names)\nKanban board binding\nSecurity dashboard binding\nOpenClaw gateway binding\nTailscale active/inactive\nSecurity recommendations\n🖥️ System Security\nUpdates available\nServer uptime\nLoad average\nFailed SSH logins (24h)\nRoot processes count\n🔑 SSH & Access Control\nSSH service status\nPassword authentication (enabled/disabled)\nfail2ban status\nBanned IPs count\nActive SSH sessions\n📜 Certificates & TLS\nCaddy status\nPublic TLS enabled/disabled\nTailscale WireGuard encryption\n📊 Resource Security\nCPU usage percentage\nMemory usage percentage\nDisk usage percentage\nConfig file permissions (should be 600)\nSecurity Alerts\n\nDashboard generates real-time alerts:\n\nCritical (Red):\n\nWeak gateway token (< 32 chars)\nSSH password authentication enabled\nInsecure config permissions (not 600)\nFirewall inactive (UFW/firewalld not running)\nfail2ban inactive (SSH brute-force protection disabled)\n\nWarning (Yellow):\n\nTailscale disconnected\n20+ system updates available\n10+ failed login attempts in 24h\nDisk > 80% full\n\nInfo (Blue):\n\nGateway exposed without Tailscale\nNon-standard configurations\nIntegration Points\nMorning Briefing\n\nAdd security status to morning report:\n\ncurl -s http://localhost:18791/api/security | jq '.status'\n\nHeartbeat Checks\n\nMonitor for critical alerts:\n\ncurl -s http://localhost:18791/api/security | \\\n jq '.alerts[] | select(.level == \"critical\")'\n\nAlerting Integration\n\nPipe alerts to notification systems:\n\n./scripts/check-alerts.sh | xargs -I {} notify-send \"Security Alert\" \"{}\"\n\nArchitecture\n\nBackend: Node.js HTTP server\nFrontend: Vanilla JavaScript (no frameworks)\nPort: 18791 (configurable)\nBinding: 127.0.0.1 (localhost only)\nService: systemd unit\n\nFiles:\n\nserver.js - Main backend (metrics collection + API)\npublic/index.html - Dashboard UI\nlib/ - Shared utilities (if needed)\nDependencies\nNode.js (v18+)\nsystemctl - Service management\nss - Socket statistics\nufw or firewalld - Firewall check\ntailscale - VPN status (optional)\nfail2ban - Ban tracking (optional)\nopenclaw - Gateway monitoring\n\nAll dependencies are standard Linux utilities except OpenClaw.\n\nTroubleshooting\nDashboard not loading\n\nCheck service status:\n\nsudo systemctl status security-dashboard\n\n\nCheck logs:\n\nsudo journalctl -u security-dashboard -n 50\n\n\nVerify port is listening:\n\nss -tlnp | grep 18791\n\n\nTest API directly:\n\ncurl http://localhost:18791/api/security\n\nGateway Status \"Unknown\"\n\nVerify OpenClaw gateway is running:\n\npgrep -f openclaw-gateway\n\n\nCheck OpenClaw config exists:\n\ncat ~/.openclaw/openclaw.json\n\nMetrics showing \"Unknown\"\nCommands may require sudo permissions\nCheck script execution permissions\nVerify paths exist (sessions, skills, etc.)\nUninstall\nsudo systemctl stop security-dashboard\nsudo systemctl disable security-dashboard\nsudo rm /etc/systemd/system/security-dashboard.service\nsudo systemctl daemon-reload\n\n\nThen remove skill directory:\n\nrm -rf /root/clawd/skills/security-dashboard\n\nPublishing\n\nTo publish to ClawdHub:\n\nclawdhub publish security-dashboard\n\nLicense\n\nMIT\n\nAuthor\n\nCreated by Erdma for Brian Christner's infrastructure monitoring." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/vegasbrianc/security-dashboard", "publisherUrl": "https://clawhub.ai/vegasbrianc/security-dashboard", "owner": "vegasbrianc", "version": "1.2.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/security-dashboard", "downloadUrl": "https://openagent3.xyz/downloads/security-dashboard", "agentUrl": "https://openagent3.xyz/skills/security-dashboard/agent", "manifestUrl": "https://openagent3.xyz/skills/security-dashboard/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-dashboard/agent.md" } }