Security Dashboard
by @vegasbrianc
Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure. Monitors gateway status, network security, public exposure, system updates, SSH access, TLS certificates, and resource usage.
clawhub install security-dashboardπ About This Skill
name: security-dashboard description: Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure. Monitors gateway status, network security, public exposure, system updates, SSH access, TLS certificates, and resource usage.
Security Dashboard Skill
Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure.
Features
Installation
1. Install the Skill
cd /root/clawd/skills/security-dashboard
sudo ./scripts/install.sh
This will:
openclaw-dashboard user with limited sudo privileges (if non-root)Security Note: Running as a dedicated user with limited sudo is recommended. The dashboard only needs sudo for security checks (fail2ban, firewall, systemctl status) - not full root access.
2. Access the Dashboard
Localhost only (secure by default):
Via SSH port forwarding:
ssh -L 18791:localhost:18791 root@YOUR_SERVER_IP
Then visit: http://localhost:18791
Usage
Start/Stop/Restart
sudo systemctl start security-dashboard
sudo systemctl stop security-dashboard
sudo systemctl restart security-dashboard
Check Status
sudo systemctl status security-dashboard
View Logs
sudo journalctl -u security-dashboard -f
API Endpoint
Get raw security metrics:
curl http://localhost:18791/api/security | jq
Security Hardening
The dashboard follows security best practices to minimize attack surface:
Dedicated User (Recommended)
The install script creates aopenclaw-dashboard user with limited sudo privileges:
/bin/false)Systemd Hardening
Service runs with security restrictions:NoNewPrivileges=true # Cannot escalate privileges
PrivateTmp=true # Isolated tmp directory
ProtectSystem=strict # Read-only filesystem except skill dir
ProtectHome=true # No access to /home
ReadWritePaths=... # Only skill directory is writable
Restart=on-failure # Restart only on crashes (not always)
Network Binding
127.0.0.1 (localhost only)Running as Root (Not Recommended)
If you chooseroot during install:
Use the dedicated user option for production deployments.
Configuration
Change Port
Edit /root/clawd/skills/security-dashboard/server.js:
const PORT = 18791; // Change this
Then restart:
sudo systemctl restart security-dashboard
Change Binding
Default: 127.0.0.1 (localhost only - secure)
Alternative: 0.0.0.0 (all interfaces - only with Tailscale!)
Edit server.js line 445:
server.listen(PORT, '127.0.0.1', () => {
// Change '127.0.0.1' to '0.0.0.0' if needed
});
β οΈ Security Warning: Only bind to 0.0.0.0 if behind Tailscale or firewall!
Customize Metrics
Add custom checks in server.js:
getOpenClawMetrics() - OpenClaw-specific metricsgetNetworkMetrics() - Network securitygetSystemMetrics() - System-level checksgetPublicExposure() - Port/binding analysisDashboard Sections
π¦ OpenClaw Security
π Network Security
π Public Exposure
π₯οΈ System Security
π SSH & Access Control
π Certificates & TLS
π Resource Security
Security Alerts
Dashboard generates real-time alerts:
Critical (Red):
Warning (Yellow):
Info (Blue):
Integration Points
Morning Briefing
Add security status to morning report:curl -s http://localhost:18791/api/security | jq '.status'
Heartbeat Checks
Monitor for critical alerts:curl -s http://localhost:18791/api/security | \
jq '.alerts[] | select(.level == "critical")'
Alerting Integration
Pipe alerts to notification systems:./scripts/check-alerts.sh | xargs -I {} notify-send "Security Alert" "{}"
Architecture
Backend: Node.js HTTP server Frontend: Vanilla JavaScript (no frameworks) Port: 18791 (configurable) Binding: 127.0.0.1 (localhost only) Service: systemd unit
Files:
server.js - Main backend (metrics collection + API)public/index.html - Dashboard UIlib/ - Shared utilities (if needed)Dependencies
systemctl - Service managementss - Socket statisticsufw or firewalld - Firewall checktailscale - VPN status (optional)fail2ban - Ban tracking (optional)openclaw - Gateway monitoringAll dependencies are standard Linux utilities except OpenClaw.
Troubleshooting
Dashboard not loading
1. Check service status:
sudo systemctl status security-dashboard
2. Check logs:
sudo journalctl -u security-dashboard -n 50
3. Verify port is listening:
ss -tlnp | grep 18791
4. Test API directly:
curl http://localhost:18791/api/security
Gateway Status "Unknown"
pgrep -f openclaw-gateway
cat ~/.openclaw/openclaw.json
Metrics showing "Unknown"
Uninstall
sudo systemctl stop security-dashboard
sudo systemctl disable security-dashboard
sudo rm /etc/systemd/system/security-dashboard.service
sudo systemctl daemon-reload
Then remove skill directory:
rm -rf /root/clawd/skills/security-dashboard
Publishing
To publish to ClawdHub:
clawdhub publish security-dashboard
License
MIT
Author
Created by Erdma for Brian Christner's infrastructure monitoring.
π‘ Examples
Start/Stop/Restart
sudo systemctl start security-dashboard
sudo systemctl stop security-dashboard
sudo systemctl restart security-dashboard
Check Status
sudo systemctl status security-dashboard
View Logs
sudo journalctl -u security-dashboard -f
API Endpoint
Get raw security metrics:
curl http://localhost:18791/api/security | jq
βοΈ Configuration
Change Port
Edit /root/clawd/skills/security-dashboard/server.js:
const PORT = 18791; // Change this
Then restart:
sudo systemctl restart security-dashboard
Change Binding
Default: 127.0.0.1 (localhost only - secure)
Alternative: 0.0.0.0 (all interfaces - only with Tailscale!)
Edit server.js line 445:
server.listen(PORT, '127.0.0.1', () => {
// Change '127.0.0.1' to '0.0.0.0' if needed
});
β οΈ Security Warning: Only bind to 0.0.0.0 if behind Tailscale or firewall!
Customize Metrics
Add custom checks in server.js:
getOpenClawMetrics() - OpenClaw-specific metricsgetNetworkMetrics() - Network securitygetSystemMetrics() - System-level checksgetPublicExposure() - Port/binding analysisπ Tips & Best Practices
Dashboard not loading
1. Check service status:
sudo systemctl status security-dashboard
2. Check logs:
sudo journalctl -u security-dashboard -n 50
3. Verify port is listening:
ss -tlnp | grep 18791
4. Test API directly:
curl http://localhost:18791/api/security
Gateway Status "Unknown"
pgrep -f openclaw-gateway
cat ~/.openclaw/openclaw.json