ClawHub
Code Pluginsource linked

OpenClaw Vizv1.0.0

OpenClaw Multi-Agent Work Visualization Dashboard

openclaw-viz·runtime openclaw-viz·by @sltogethertao-sudo
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:openclaw-viz
Latest release: v1.0.0Download zip

Capabilities

Tags
executes-codeartifact:legacy-zip
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
openclaw-viz

Compatibility

Built With Open Claw Version
^2026.4.0
Min Gateway Version
2026.5.7
Plugin Api Range
^1.0.0
Plugin Sdk Version
^1.2.0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The visualization purpose coherently explains reading OpenClaw sessions, logs, cron state, system metrics, and cluster status, but the implementation also exposes intervention commands, user/role/policy changes, audit export, session replay/export, SSO configuration, and cluster management through web APIs.
!
Instruction Scope
The README discloses dashboard monitoring and control, but the server enables broad CORS, binds to 0.0.0.0, and relies on caller-supplied roles or unsigned tokens rather than real authentication for sensitive routes.
Install Mechanism
The package uses ordinary npm scripts and an OpenClaw extension entrypoint with no install-time script observed, but the lockfiles pin many dependency tarballs to plain HTTP mirror URLs.
!
Credentials
Host introspection, ~/.openclaw file access, persistent file watching, OpenClaw CLI control commands, cluster health checks, and network discovery are broadly related to observability, but they are overexposed for a dashboard unless tightly scoped and authenticated.
!
Persistence & Privilege
The server writes users, roles, policies, audit logs, SSO configuration, and cluster records under ~/.openclaw, including optional cluster tokens that are later sent to configured cluster URLs.
Scan Findings in Context
[VirusTotal] expected: VirusTotal telemetry is clean, so it does not support a malicious verdict; artifact risks come from the package behavior and insecure exposure, not malware detections.
[SDI-2] expected: Cluster health checks and discovery fit multi-cluster monitoring, but the artifact confirms probing behavior and token-bearing requests to configured URLs without adequate host validation or access control.
[SDI-2] expected: Shell-based system collectors are expected for a local operations dashboard, but they expose host process and resource details through API routes.
[SDI-2] unexpected: High-impact controls for users, policies, replay, audit export, clusters, and auth configuration are not safely scoped because sensitive routes lack real server-side authentication and authorization.
[SDI-4] unexpected: The advertised immutable audit trail is under-supported because hashes are non-cryptographic and stored in the same writable local log.
[SDI-4] unexpected: The advertised JWT/SSO flow is not reliable because local login accepts caller-supplied identity and role, and token verification does not validate a real signature.
[SQP-2] expected: Reading ~/.openclaw agent and cron data is central to the dashboard, but the documentation does not sufficiently warn that prompts, outputs, logs, credentials, or personal data may be exposed through the web UI.
[SQP-3] unexpected: Plain HTTP dependency mirrors are avoidable supply-chain risk and not needed for the dashboard purpose.
[SQP-2] expected: Network scanning is related to cluster discovery, but the UI does not clearly explain scope or consequences before scanning.
[SQP-2] expected: Saving cluster URLs and optional tokens supports monitoring, but storage and protection of those credentials are under-disclosed.
[SQP-2] unexpected: Surfacing and copying raw auth tokens to the clipboard is not necessary for normal dashboard use and increases credential exposure risk.
[SQP-1] unexpected: The root lockfile HTTP mirror issue is a supply-chain weakness, but by itself would not justify escalation without the broader access-control concerns.
[SQP-2] expected: Session history, replay, and export are expected dashboard features, but they can expose sensitive conversation and tool-output data to any caller when not protected.
[SQP-2] expected: Sending bearer tokens during cluster health checks can be expected for authenticated monitoring, but it becomes a token disclosure path when cluster URLs are user-configurable and weakly governed.
[SQP-3] unexpected: Deriving token role semantics from Google user info is not a valid role-mapping design and reinforces that authorization should not be trusted.
What to consider before installing
Use only in an isolated local environment, and do not expose the server to a LAN or the internet. Before operational use, add real authentication and authorization, bind to localhost by default, restrict cluster URLs, protect or avoid stored tokens, regenerate lockfiles from HTTPS registries, and assume the dashboard can read/export local OpenClaw conversations and run OpenClaw control commands.
server/index.js:99
Shell command execution detected (child_process).
client/src/store.js:38
File appears to expose a hardcoded API secret or token.
server/index.js:2091
File appears to expose a hardcoded API secret or token.
!
server/index.js:200
Sensitive-looking file read is paired with a network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/sltogethertao-sudo/openclaw-viz
Commit
1d73373dc010
Tag
main
Provenance
No
Scan status
suspicious

Tags

latest
1.0.0

🌀 OpenClaw Viz — Multi-Agent Work Visualization

Industrial-grade dashboard for observing and controlling OpenClaw multi-agent systems.

<p> <a href="https://github.com/openclaw/openclaw"><img src="https://img.shields.io/badge/OpenClaw-2026.5.7-6C47FF" alt="OpenClaw"></a> <img src="https://img.shields.io/badge/v1.0-stable-6464ff" alt="Version"> <img src="https://img.shields.io/badge/license-MIT-green" alt="License"> <a href="https://nodejs.org"><img src="https://img.shields.io/badge/node-%3E%3D22-blue" alt="Node"></a> </p>

Features

🤖 Agent Topology Graph

  • Force-directed graph (D3.js) showing real-time agent relationships
  • Node types: Agent · Session · Cron Job · Module
  • Status indicators: active, idle, stale, error
  • Drag, zoom, pan · Click-to-inspect

📊 Session Monitoring

  • Real-time session list with status, token usage, cost
  • Session history viewer with role-colored messages
  • Module attribution · Fuzzy search & multi-filter · 4 sort modes
  • JSON / Markdown export

⚡ Human Intervention Console

  • Send messages to any active session
  • Steer sub-agents with directional instructions
  • Terminate runaway agents

🗂️ Project Intelligence

  • Module dependency graph (11 workspace projects, 6 relationship types)
  • Project timeline / Gantt with milestone markers
  • Activity heatmap from daily memory files · Milestone tracker
  • Task flow pipeline (Input → Processing → Completed)

🔔 Smart Alerts Engine

  • Error spike detection · Stale session monitoring
  • Token usage warnings · Model provider failure alerts
  • Configurable alert thresholds

👥 Multi-User & RBAC

  • User registration with viewer / operator / admin roles
  • 10 fine-grained permissions across 3 roles
  • Immutable audit trail with SHA-based hash chains
  • SSO / JWT authentication (Google OIDC, GitHub, Microsoft stubs)

🎞️ Session Replay & A/B Testing

  • Playback engine with 378-frame support
  • 5 speed settings (0.5x–10x) · Timeline scrubber
  • This week vs. last week metrics comparison

🛡️ Enterprise

  • Multi-cluster monitoring with DNS-SD auto-discovery
  • Prometheus / Grafana integration (7-panel dashboard export)
  • API rate limiting (per-role) · Session-level audit export (JSON/CSV/JSONL)
  • Intervention policy engine with 5 built-in rules

Prerequisites

  • Node.js ≥ 22 (recommended 24)
  • OpenClaw 2026.5.x running locally with a Gateway
  • journalctl (optional, for live log viewer)

Quick Start

# Install dependencies
npm run install:all

# Development (hot reload)
npm run dev

# Production build
npm run build
npm start

⚠️ OpenClaw Gateway must be running on the same machine for Viz to connect. The dashboard reads session data from ~/.openclaw/agents/ and ~/.openclaw/cron/.

The dashboard will be available at http://localhost:3000.

Architecture

┌─────────────────────────────────────────────────────┐
│                   Browser (React)                    │
│  ┌──────────┐  ┌───────────┐  ┌──────────────────┐ │
│  │ Topology  │  │  Session  │  │  Intervention    │ │
│  │  Graph    │  │  Monitor  │  │  Console         │ │
│  │  (D3.js)  │  │           │  │                  │ │
│  └─────┬─────┘  └─────┬─────┘  └───────┬──────────┘ │
│        │               │                │            │
│  ┌─────┴───────────────┴────────────────┴──────────┐ │
│  │              Zustand Store + WebSocket            │ │
│  └─────────────────────┬───────────────────────────┘ │
└────────────────────────┼────────────────────────────┘
                         │ WebSocket + REST
┌────────────────────────┼────────────────────────────┐
│                   Express Server                      │
│  ┌─────────────────────┴───────────────────────────┐ │
│  │              Data Collection Layer                │ │
│  │  sessions.json │ JSONL logs │ cron │ processes   │ │
│  └─────────────────────┬───────────────────────────┘ │
│                         │                             │
│  ┌─────────────────────┴───────────────────────────┐ │
│  │              OpenClaw Gateway                     │ │
│  │  ~/.openclaw/agents/ │ ~/.openclaw/cron/         │ │
│  └──────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────┘

Tech Stack

LayerTechnology
FrontendReact 18, Vite 6, TailwindCSS 3
VisualizationD3.js 7 (force-directed graph)
StateZustand 5
BackendExpress 4, WebSocket (ws)
Real-timechokidar (file watching) + WS push
DeploymentDocker, Node.js 24

Configuration

Env VariableDefaultDescription
PORT3000Server port
OPENCLAW_HOME~/.openclawOpenClaw data directory

Development

# Run only server
npm run server

# Run only client
npm run client

# Full stack dev
npm run dev

# Build for production
npm run build

Version Evolution

VersionHighlights
V4.1OIDC SSO (Google), API rate limiting, cluster auto-discovery, Grafana JSON export, session-level audit export
V4.0RBAC permission matrix, immutable audit trail, multi-cluster monitoring, Prometheus/Grafana integration, SSO/JWT auth
V3.0Multi-user system, intervention policy engine, session replay, A/B test comparison
V2.0Project dependency graph, timeline/Gantt, activity heatmap, milestone tracker, task flow pipeline, smart alerts
V1.1Session search & filter, cron management, performance metrics dashboard, session export
V1.0Agent topology graph, session monitoring, intervention console, WebSocket real-time updates, gateway log viewer, system metrics

Planned: SAML SSO, webhook alerting (Slack/PagerDuty), policy chaining, replay bookmarks, PDF export.

Contributing

See CONTRIBUTING.md.

License

MIT