npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

openclaw-security-dashboard

v1.5.0

Published

Security scanner for OpenClaw deployments. Checks gateway exposure, skill supply chain (1,184+ IOCs), config hardening, identity integrity, persistence, and sessions. Zero dependencies. 100% local.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

pkwidzinpkwidzin

Keywords

openclawsecurityscannerauditiocbulwarkaihardeningvulnerabilitydashboardclawhavocmalwaresupply-chain

Readme

openclaw-security-dashboard

npm version npm downloads license

Every OpenClaw dashboard shows what your agent can do. This one shows what it shouldn't be doing.

Install & Run

Install permanently (recommended):

npm install -g openclaw-security-dashboard
openclaw-security-dashboard install

Dashboard runs at http://localhost:7177, starts on login, re-scans every 30 minutes.

Quick scan (one-off):

npx openclaw-security-dashboard@latest

Auto-fix:

openclaw-security-dashboard --fix       # installed globally
npx openclaw-security-dashboard --fix   # or via npx

Zero dependencies. Zero network calls. Everything stays on your machine.

Management commands:

openclaw-security-dashboard status      # check if running, current grade
openclaw-security-dashboard uninstall   # stop and remove service

Or clone for development

git clone https://github.com/piti/openclaw-security-dashboard.git
cd openclaw-security-dashboard
node server.js

Auto-Fix

# Scan, fix what's fixable, show before/after
npx openclaw-security-dashboard --fix

# Fix + JSON output (for CI/CD)
npx openclaw-security-dashboard --fix --json

Creates a timestamped backup before touching anything. Fixes mechanical issues automatically:

  • Gateway bound to 0.0.0.0 → rebound to 127.0.0.1
  • Weak file permissions → set to 600
  • authBypass enabled → disabled
  • Missing safeBins allowlist → added (11 safe commands)
  • Plaintext API keys → replaced with env var references

After fixing, re-scans and shows your new grade. Typical improvement: F → C in seconds.

Issues requiring human judgment (skill selection, identity files, network config) are left as findings with remediation guidance.

The browser dashboard also has an Auto-Fix button with a confirmation modal — click it to see exactly what will change, then apply with one click.

CLI Flags & Subcommands

# Subcommands
openclaw-security-dashboard install          # install as background service
openclaw-security-dashboard uninstall        # stop and remove service
openclaw-security-dashboard status           # check if running + current grade

# Flags
openclaw-security-dashboard --fix            # scan + auto-fix
openclaw-security-dashboard --json           # JSON output + exit (for CI/CD)
openclaw-security-dashboard --no-browser     # start server without opening browser
openclaw-security-dashboard --watch          # re-scan periodically (default: 30m)
openclaw-security-dashboard --watch-interval 15  # custom watch interval (minutes)
openclaw-security-dashboard --fix --json     # fix + JSON output

Exit codes for --json: 0 (grade A/B), 1 (grade C/D), 2 (grade F).

Background Service

openclaw-security-dashboard install sets up a persistent background service:

  • macOS: LaunchAgent at ~/Library/LaunchAgents/io.bulwarkai.dashboard.plist — starts on login, restarts on crash
  • Linux: systemd user service at ~/.config/systemd/user/openclaw-security-dashboard.service
  • Windows: Not yet supported (use npx in a terminal)

The service re-scans every 30 minutes and tracks grade history:

  • Logs: ~/.openclaw/.dashboard-logs/dashboard.log
  • Grade history: ~/.openclaw/.dashboard-logs/grade-history.jsonl

The status command also checks npm for newer versions and prompts to update.

Security & Permissions

This tool requires two system capabilities that security scanners like Socket.dev will flag:

Shell access — The scanner inspects your OpenClaw installation by running read-only system commands (grep, stat, ls, crontab -l, lsof). The --fix flag also runs chmod and file operations to apply security fixes. All commands target only your ~/.openclaw/ directory.

Network access — The web dashboard UI runs a local HTTP server on localhost:7177. This server only binds to loopback (127.0.0.1) and never makes outbound network connections. No data leaves your machine. No telemetry. No phone-home.

You can verify this yourself:

# Check what the server listens on
lsof -iTCP:7177 -sTCP:LISTEN
# Verify no outbound connections
lsof -i -P | grep openclaw

What It Checks

Gateway Security — Bind address, auth enforcement, TLS, port exposure, CVE version check

Skill Supply Chain — 102+ named IOCs, 21 pattern rules, C2 IP detection, exfil domain detection, publisher blacklist, reverse shell detection

Config Hardening — File permissions, plaintext secrets, sandbox settings

Identity Integrity — SOUL.md tampering detection, prompt injection scanning, SHA-256 hash baselines

Persistence & Cron — LaunchAgents, hooks, MCP server version pinning

Session Analysis — Injection attempts, credential leaks in session logs

API Integration

When running as a service (openclaw-security-dashboard install), the dashboard exposes a JSON API on localhost:7177.

Get current security status

curl http://localhost:7177/api/status

Returns:

{
  "dashboard_version": "1.4.2",
  "scan_date": "2026-03-05T12:00:00Z",
  "openclaw_version": "2026.3.2",
  "grade": "B",
  "score": 72,
  "grade_color": "#3b82f6",
  "credential_level": {
    "level": "L3",
    "label": "Credentials directory"
  },
  "summary": {
    "critical": 0,
    "high": 1,
    "medium": 1,
    "low": 1,
    "total": 3
  },
  "panels": {
    "gateway": { "status": "green" },
    "skills": { "status": "green" },
    "config": { "status": "amber" },
    "identity": { "status": "green" },
    "persistence": { "status": "green" },
    "sessions": { "status": "green" },
    "mcp": { "status": "green" }
  }
}

Trigger a rescan

curl http://localhost:7177/api/scan

Apply auto-fixes

curl -X POST http://localhost:7177/api/fix

Embed in your dashboard

// Fetch security grade for your OpenClaw dashboard
const res = await fetch('http://localhost:7177/api/status');
const { grade, score, grade_color, summary } = await res.json();

// Display a security badge
console.log(`Security: ${grade} (${score}/100)`);

The API only binds to loopback (127.0.0.1). No authentication required for local access. No data leaves your machine.

Security Grade

Your deployment gets a letter grade (A+ through F) based on weighted findings. The grade is designed to be screenshot-friendly — share your score.

| Severity | Score Impact | |----------|-------------| | CRITICAL | -25 each | | HIGH | -15 each | | MEDIUM | -5 each | | LOW | -2 each |

Integration with Other Dashboards

openclaw-security-dashboard works alongside Mission Control, TenacitOS, ClawDeck, and any other OpenClaw dashboard. Three integration methods:

Automatic (zero config)

Every scan writes ~/.openclaw/.security-status.json with your grade, score, and panel statuses. Any dashboard that reads ~/.openclaw/ can display this data.

Embed Widget

Drop this into any dashboard:

<iframe src="http://localhost:7177/embed" width="320" height="130" frameborder="0"></iframe>

Supports ?theme=light for light-themed dashboards.

JSON API

Fetch security data from your dashboard's code:

const res = await fetch('http://localhost:7177/api/status');
const { grade, score, panels } = await res.json();

CORS is enabled on all endpoints.

IOC Database

This project maintains an open-source database of known malicious OpenClaw skills, publishers, C2 domains, and credential patterns. Sources include Koi Security, Antiy CERT, Snyk, Bitdefender, and BulwarkAI's ongoing monitoring.

1,184+ known malicious skills across 16 categories.

The IOC database is MIT licensed. Use it in your own projects.

API

GET /api/status returns JSON with your security grade, score, and panel statuses.

GET /api/scan triggers a fresh scan and returns results.

POST /api/fix applies auto-fixes and returns before/after comparison with backup path.

GET /api/fixable returns the count and list of auto-fixable findings (read-only).

GET /api/baseline/accept updates the identity file baseline to current hashes.

Configuration

# Custom port
SECURITY_DASHBOARD_PORT=8080 npx openclaw-security-dashboard

# Custom OpenClaw directory
OPENCLAW_DIR=/path/to/.openclaw npx openclaw-security-dashboard

FAQ

Does this replace openclaw security audit? No. The built-in audit is good but misses ~40% of the threat surface. This dashboard covers the gap: multi-directory skill scanning, IOC cross-reference, identity integrity, persistence detection, and session analysis.

Does this send data anywhere? No. Everything runs locally. Zero network calls. Your config never leaves your machine.

Can I use the IOC database in my own project? Yes. MIT licensed. Credit appreciated.

How do I update? npm update -g openclaw-security-dashboard — the service picks up the new version on next restart.

How do I check if it's running? openclaw-security-dashboard status — shows grade, watch interval, next scan, and version.

Where are the logs? ~/.openclaw/.dashboard-logs/dashboard.log — grade history in grade-history.jsonl in the same directory.

I found a false positive / want to report a malicious skill. Open an issue or PR. See CONTRIBUTING.md.

Contributing

See CONTRIBUTING.md for how to:

  • Report new malicious skills
  • Report false positives
  • Add new security checks
  • Improve the dashboard UI

About

Built by BulwarkAI — security hardening for OpenClaw deployments.

License

MIT