clawtime
Facilitates the installation and configuration of ClawTime, a self-hosted webchat UI for OpenClaw, with advanced authentication and voice features.
Install this skill
Security score
The clawtime skill was audited on Mar 3, 2026 and we found 23 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 135 | `child_process.execFile()` with argument arrays instead of `child_process.exec()` with string |
Node child_process module reference
| 135 | `child_process.execFile()` with argument arrays instead of `child_process.exec()` with string |
Access to hidden dotfiles in home directory
| 34 | - filesystem (~/Projects/clawtime, ~/.clawtime, ~/.cloudflared, ~/Library/LaunchAgents) |
Access to hidden dotfiles in home directory
| 80 | # Edit ~/.cloudflared/config.yml: |
Access to hidden dotfiles in home directory
| 83 | **~/.cloudflared/config.yml:** |
Access to hidden dotfiles in home directory
| 196 | - Keypair auto-generated in `~/.clawtime/device-key.json` on first run |
Access to hidden dotfiles in home directory
| 199 | - If device auth fails → delete `~/.clawtime/device-key.json` and restart |
Access to hidden dotfiles in home directory
| 235 | cat ~/.openclaw/openclaw.json | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('gateway',{}).get('token',''))" |
Access to hidden dotfiles in home directory
| 244 | echo '[]' > ~/.clawtime/credentials.json |
Access to hidden dotfiles in home directory
| 248 | rm ~/.clawtime/device-key.json |
Access to system keychain/keyring
| 33 | - keychain (store/retrieve GATEWAY_TOKEN and SETUP_TOKEN) |
Access to system keychain/keyring
| 169 | Instead of passing tokens as plaintext env vars or in plist files, store them in macOS Keychain: |
Access to system keychain/keyring
| 172 | # Store tokens in Keychain |
Access to system keychain/keyring
| 231 | # From macOS Keychain |
External URL reference
| 43 | `http://localhost` only works on the same machine — not from a phone on your network. |
External URL reference
| 48 | iPhone/Browser → https://portal.yourdomain.com → Cloudflare Tunnel → localhost:3000 (ClawTime) → ws://127.0.0.1:18789 (OpenClaw Gateway) |
External URL reference
| 90 | service: http://localhost:3000 |
External URL reference
| 102 | openclaw config patch '{"gateway":{"controlUi":{"allowedOrigins":["https://portal.yourdomain.com"]}}}' |
External URL reference
| 113 | PUBLIC_URL=https://portal.yourdomain.com \ |
External URL reference
| 122 | PUBLIC_URL=https://portal.yourdomain.com \ |
External URL reference
| 146 | 1. Open `https://portal.yourdomain.com/?setup=<your-setup-token>` in **Safari** |
External URL reference
| 151 | After registration, access ClawTime at `https://portal.yourdomain.com`. |
External URL reference
| 182 | PUBLIC_URL=https://portal.yourdomain.com \ |