📦 Live Monitoring Dashboard — 实时状态面板
v2.0.0OpenClaw 零 Token 实时 Discord 监控面板,持续在 Discord 内展示系统健康、定时任务、会话与性能数据,一键掌握全局运行状态。
0· 344·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly does what a monitoring dashboard claims, but several inconsistencies and hard-coded message targets (a specific user ID) create a risk of unintended data disclosure and warrant manual review before installing.
评估建议
Do not install or run this skill without manual review. Key actions to take before trusting it: 1) Search all scripts for hard-coded targets (the ID '311529658695024640' and channel/message IDs in config/live-state.json) and change them to your own monitoring channel or remove the hard-coded target entirely. 2) Confirm the OpenClaw 'message' and 'cron' commands will post only to a channel you control — the current code posts to a user ID which can leak system/cron/process info to that recipient....详细分析 ▾
⚠ 用途与能力
The README/SKILL.md describes a dashboard that posts to a monitoring Discord channel, but many files contain hard-coded user/channel IDs and scripts that send messages to a specific user (target: 'user:311529658695024640'). Registry metadata declared only curl/jq/top/df as required binaries, yet the code expects 'openclaw', 'ps', 'uptime', 'bc' and other tools. Also the package shows many code files despite the manifest claiming 'No install spec / instruction-only' — these mismatches are unexplained.
⚠ 指令范围
Runtime instructions and scripts gather system/process/cron data (ps, top, df, uptime, openclaw cron list) which matches monitoring, but generated OpenClaw session scripts call message({ action: 'send' ... target: 'user:311529658695024640' }) — i.e., they will send collected system activity to a specific user unless reconfigured. SKILL.md also instructs adding cron jobs that repeatedly execute skill scripts; that persistence + data collection could leak sensitive information to the configured target if not reviewed.
ℹ 安装机制
There is no remote download/install of third‑party code in the manifest (install.sh, package.json and scripts are bundled), which lowers supply-chain risk. However the package claims 'instruction-only' while ship contains many executable scripts and an install.sh — an inconsistency the user should note (scripts will be written/executed on install/run).
⚠ 凭证需求
The skill declares no required environment variables, but the code uses process.env.LIVE_MESSAGE_ID and relies on OpenClaw session privileges to post/edit messages. It also contains hard-coded user and channel IDs and state files with message/guild IDs — effectively requiring access to OpenClaw/Discord posting capability without declaring credentials. Asking nothing explicitly while expecting platform-level messaging permission is disproportionate and risky.
ℹ 持久化与权限
always:false (good). The skill suggests creating cron jobs (via OpenClaw cron add) to run every 30s/1m which gives it ongoing execution in the OpenClaw environment. That autonomous scheduling is expected for monitoring but combined with hard-coded remote targets increases blast radius if misconfigured. The skill does not request to modify other skills or system-wide configs beyond its own state files.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.02026/3/5
Zero-token Discord monitoring with direct API, 4-slice architecture, performance analytics
● 可疑
安装命令
点击复制官方npx clawhub@latest install tommy-monitoring-dashboard
镜像加速npx clawhub@latest install tommy-monitoring-dashboard --registry https://cn.longxiaskill.com镜像同步中