Is command-center safe?

https://clawhub.ai/jontsai/command-center

68
CAUTION

Command Center is a legitimate monitoring dashboard for OpenClaw AI orchestration, but it raises significant security concerns. The most critical issue is that the server process reads AWS credentials during startup, and it runs a persistent HTTP server with unauthenticated API endpoints that expose system vitals, session data, and cost information. While no outbound data exfiltration was observed during the audit, the combination of sensitive file access and a network-accessible API with no default authentication creates meaningful risk.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 45/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

CRITICAL AWS credentials accessed during startup -35

Filesystem monitoring detected the server process opening and reading /home/oc-exec/.aws/credentials during startup. AWS credential files typically contain access key IDs and secret access keys that provide access to cloud infrastructure. While no outbound network exfiltration was observed during the audit window, the server runs persistently and could transmit this data later via its HTTP API or SSE stream.

HIGH Reads .env and auth-profiles during startup -15

The server process reads /home/oc-exec/.env and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json during startup. The .env file commonly contains API keys, database credentials, and other secrets. The auth-profiles file likely contains authentication tokens for AI services.

HIGH Persistent HTTP server with unauthenticated API -25

The skill starts a persistent HTTP server on port 3333 with API endpoints that expose system vitals, session data, token usage, cost information, and operator details. Authentication defaults to 'none', meaning anyone with network access to the machine can query all this data. The /api/jobs/:id/run endpoint can trigger job execution.

MEDIUM Cloudflare tunnel option exposes local server publicly -10

scripts/start.sh includes a --tunnel flag that launches a Cloudflare tunnel (cloudflared) to expose the local dashboard to the public internet. Combined with the default no-auth mode, this could make all system monitoring data publicly accessible.

MEDIUM Repeated reads of shell profile files -10

The server process reads /home/oc-exec/.profile and /home/oc-exec/.bashrc multiple times during startup. Shell profile files may contain exported environment variables with API keys, tokens, and other sensitive configuration.

MEDIUM Extensive file creation in /tmp during startup -15

The startup process created a gateway lock file in /tmp/openclaw-1000/ and compiled multiple .cjs files in /tmp/jiti/, indicating significant code compilation and execution during startup that goes beyond what a simple dashboard would require.

LOW Dashboard aggregates sensitive operational data -5

The command center aggregates session monitoring, token usage, cost data, operator information, and system vitals into a single API endpoint. While this is its intended purpose, it creates a single point of information disclosure if the server is compromised or accessed by unauthorized parties.

INFO Clean SKILL.md with no injection attempts 0

The SKILL.md file contains standard documentation with no hidden instructions, unicode tricks, HTML comments with hidden content, or attempts to override system instructions. The install metadata correctly describes the server start command.

INFO No malicious npm scripts or git hooks 0

package.json has no preinstall or postinstall scripts. The prepare script is benign ('echo Ready to spawn Overlords'). No .githooks directory, no .gitattributes filters, no git submodules, and no symlinks detected.