glance
Enables users to create and manage custom dashboard widgets for visual data tracking and API integration.
Install this skill
Security score
The glance skill was audited on Feb 9, 2026 and we found 45 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
AI Security Analysis
An AI model reviewed this skill's content and provided the following security assessment:
The skill contains multiple instances of command injection and data exfiltration patterns, which could potentially be harmful if misused. However, the context of these patterns needs further review to determine if they are part of legitimate functionality or if they pose a real threat.
Security Issues
Direct command execution function call
| 649 | 1. Spawn PTY: exec("claude", { pty: true }) |
Template literal with variable interpolation in command context
| 498 | subtitle: `#${pr.number} by ${pr.author}`, |
Template literal with variable interpolation in command context
| 523 | headers: { 'Authorization': `Bearer ${token}` } |
Template literal with variable interpolation in command context
| 666 | task: `${fetchInstructions} |
Template literal with variable interpolation in command context
| 677 | label: `${slug}-refresh` |
Fetch to external URL
| 522 | const response = await fetch('https://api.github.com/repos/owner/repo/pulls', { |
Webhook reference - potential data exfiltration
| 24 | - **Real-time Updates** — Webhook-triggered instant refreshes |
Webhook reference - potential data exfiltration
| 117 | | `OPENCLAW_GATEWAY_URL` | OpenClaw gateway for webhooks | — | |
Webhook reference - potential data exfiltration
| 171 | | `fetch.type` | enum | `"server_code"` \| `"webhook"` \| `"agent_refresh"` | |
Webhook reference - potential data exfiltration
| 250 | ├── fetch (server_code | webhook | agent_refresh) |
Webhook reference - potential data exfiltration
| 264 | ├── YES → Use webhook |
Webhook reference - potential data exfiltration
| 271 | | External service pushes data | `webhook` | External service POSTs to cache | |
Webhook reference - potential data exfiltration
| 362 | | `webhook` | External service pushes data | External → POST /cache → Widget reads | |
Webhook reference - potential data exfiltration
| 695 | ### Immediate Refresh via Webhook |
Webhook reference - potential data exfiltration
| 715 | 3. If webhook configured, Glance immediately notifies OpenClaw: `⚡ WIDGET REFRESH: Refresh the "{slug}" widget now and POST to cache` |
Webhook reference - potential data exfiltration
| 719 | **Response includes webhook status:** |
Webhook reference - potential data exfiltration
| 723 | "webhook_sent": true, |
Webhook reference - potential data exfiltration
| 728 | If webhook fails or isn't configured, the DB fallback ensures the next heartbeat/poll will pick it up. |
Webhook reference - potential data exfiltration
| 920 | | `OPENCLAW_GATEWAY_URL` | For webhook refresh notifications | `https://localhost:18789` | |
Webhook reference - potential data exfiltration
| 925 | - **Webhook refresh works** — Glance POSTs to OpenClaw gateway, agent wakes immediately |
Access to hidden dotfiles in home directory
| 33 | git clone https://github.com/acfranzen/glance ~/.glance |
Access to hidden dotfiles in home directory
| 34 | cd ~/.glance |
Access to hidden dotfiles in home directory
| 87 | <string>~/.glance</string> |
Access to hidden dotfiles in home directory
| 93 | <string>~/.glance/logs/stdout.log</string> |
Access to hidden dotfiles in home directory
| 95 | <string>~/.glance/logs/stderr.log</string> |
Access to hidden dotfiles in home directory
| 101 | mkdir -p ~/.glance/logs |
Access to .env file
| 40 | cp .env.example .env.local |
Access to .env file
| 41 | # Edit .env.local with your settings |
Access to .env file
| 54 | Edit `.env.local`: |
Access to .env file
| 706 | **Environment variables** (add to `.env.local`): |
External URL reference
| 50 | Dashboard runs at **http://localhost:3333** |
External URL reference
| 62 | OPENCLAW_GATEWAY_URL=https://localhost:18789 |
External URL reference
| 75 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
External URL reference
| 230 | - Open http://localhost:3333 |
External URL reference
| 444 | targetUrl: 'http://localhost:3333', |
External URL reference
| 522 | const response = await fetch('https://api.github.com/repos/owner/repo/pulls', { |
External URL reference
| 630 | POST to: http://localhost:3333/api/widgets/recent-emails/cache |
External URL reference
| 631 | Header: Origin: http://localhost:3333 |
External URL reference
| 635 | Open http://localhost:3333 and confirm widget shows emails with AI summaries. |
External URL reference
| 655 | 7. ⚠️ VERIFY: Open browser to http://localhost:3333 and confirm widget displays new data |
External URL reference
| 670 | 1. Open http://localhost:3333 in browser |
External URL reference
| 708 | OPENCLAW_GATEWAY_URL=http://localhost:18789 |
External URL reference
| 765 | "install_url": "https://brew.sh" |
External URL reference
| 918 | | `GLANCE_URL` | Glance server URL | `http://localhost:3333` | |
External URL reference
| 920 | | `OPENCLAW_GATEWAY_URL` | For webhook refresh notifications | `https://localhost:18789` | |