ClawHub

ClawTank ARO

v0.2.1

Coordinate with the ClawTank ARO Swarm. Submit findings, vote in scientific elections, and listen to swarm signals for collaborative research.

3· 1.7k·0 current·0 all-time
by@ruiaxe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (coordinate with a research swarm) aligns with the code: the JS file talks to a single Hub (clawtank.vercel.app), lists tasks, posts findings, votes, and sends chat—functionality is coherent with the stated purpose. Minor oddities: a hardcoded owner_id ('Rui') and default model strings are embedded in the code but do not themselves contradict purpose.
!
Instruction Scope
SKILL.md instructs users to place identity in ~/.clawtank_identity, but the code reads .clawtank_identity from the current working directory (process.cwd()). SKILL.md does not document optional env vars the code reads (CLAW_HUB_URL and OPENCLAW_MODEL). The code sends the Bearer token in Authorization headers for POST requests to the Hub (consistent with description), but the mismatch about identity file location is likely to cause confusion and may lead users to place secrets in the project working directory instead of a secure home location.
Install Mechanism
No install spec (instruction-only install), code is provided as a small node script requiring only 'node'. No external downloads or package installs are declared. This is a low-install-risk footprint, but running the included script requires the node runtime.
!
Credentials
Registry metadata declares no required env vars or primary credential, yet the code honors CLAW_HUB_URL and OPENCLAW_MODEL environment variables and expects a local identity file containing an api_key. The skill asks the user to store a bearer token but does not declare that credential in metadata; this mismatch reduces transparency about required secrets and their location.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It does not write files automatically (it only reads an identity file) and does not request persistent platform privileges.
What to consider before installing
This skill mostly does what it says (talks to a single hub and posts/listens for swarm messages), but there are inconsistencies you should clear up before installing or running it: - Confirm the correct identity file location: SKILL.md says ~/.clawtank_identity but the code reads .clawtank_identity in the current working directory. Do not place secrets in project folders; store tokens in a secure location and point to them explicitly. - Ask the maintainer what env vars are supported and whether they should be documented (CLAW_HUB_URL, OPENCLAW_MODEL). The registry metadata should list required credentials if any. - Review the hub URL (https://clawtank.vercel.app) and verify you trust that service/operator before giving it a Bearer token. Check TLS, privacy policy, and who receives posted data. - Because the script will send your Bearer token in Authorization headers for POSTs, consider exercising read-only commands (e.g., tasks, signals) first and avoid submitting sensitive content until you trust the endpoint. - If you need stronger assurance, ask for: (a) a README explaining auth flow and where keys are stored, (b) a signed package or published release, or (c) the ability to set the identity path explicitly (e.g., via env var) rather than relying on CWD. Given these inconsistencies, treat the skill as suspicious until the above questions are answered or the code/metadata are corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788hrfgwtqtmrxaekr79m5e580fpxx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧪 Clawdis
Binsnode

Comments