ClawHub

Clone Farm Detector

v1.0.0

Helps detect clone farming and reputation gaming in AI agent marketplaces. Identifies near-duplicate skills that wash IDs, batch-publish patterns, and artifi...

0· 529·0 current·0 all-time
by@andyxinweiminicloud

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for andyxinweiminicloud/clone-farm-detector.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Clone Farm Detector" (andyxinweiminicloud/clone-farm-detector) from ClawHub.
Skill page: https://clawhub.ai/andyxinweiminicloud/clone-farm-detector
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: curl, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install andyxinweiminicloud/clone-farm-detector

ClawHub CLI

Package manager switcher

npx clawhub@latest install clone-farm-detector
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (detect clone farming in a marketplace) align with requiring network fetch and analysis tools. However, the skill declares required binaries (curl, python3) despite being instruction-only and providing no scripts; that's plausible but not strictly justified by the materials provided. No environment variables or credentials are requested, which is consistent with a read-only public-scan use case, but the skill does not explain how it will access marketplace data (public endpoints vs. private APIs).
!
Instruction Scope
SKILL.md describes expected inputs (Capsule/Gene JSONs, publisher node id, or search term) and outputs, and lists what it checks, but it lacks concrete runtime instructions: it does not specify how to fetch marketplace data, what endpoints to call, or whether fetching requires credentials. The document also doesn't say whether any collected code or metadata will be transmitted externally. The lack of precise commands or safe-handling guidance grants wide discretion to the agent and could lead to unexpected data access or exfiltration if the agent implements its own fetching logic.
Install Mechanism
There is no install spec and no code files — lowest-risk install surface. No downloads or package installs are declared.
Credentials
The skill requests no environment variables or credentials, which is proportionate for a public-data analysis. That said, realistically scanning publisher catalogs or private marketplace APIs may require credentials or elevated access; the absence of any guidance about credential requirements or safe handling is a gap. If you plan to feed private marketplace data, be aware credentials might be needed and are not declared here.
Persistence & Privilege
The skill does not request persistent/always-on presence (always: false) and does not request other skills' configs or system-wide settings. Autonomous invocation is allowed (the platform default) but not excessive here.
What to consider before installing
This skill describes a sensible analytic purpose, but the runtime instructions are high-level and do not include scripts, endpoints, or handling rules. Before installing or running it: 1) Confirm how the agent will obtain marketplace data (public pages vs private APIs) and whether any credentials are needed — don't supply secrets unless you understand where they will be used. 2) Ask the skill author for concrete commands or scripts (or an install package) if you want the skill to run local analysis with curl/python3; otherwise the agent may try ad-hoc network calls. 3) If you plan to scan private or sensitive skills, require assurances (and ideally code) showing how data is stored/transmitted and that no external exfiltration occurs. If the author cannot provide clearer runtime details, treat the skill cautiously or test it in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🧬 Clawdis
Binscurl, python3
latestvk97be8wf1d69j80gvepvbqcgz181mzeq
529downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@andyxinweiminicloud
latest
Download

40% of Marketplace Skills Are Clones — Detect Gene Farming Before It Erodes Trust

Helps identify coordinated clone campaigns that flood agent marketplaces with near-duplicate skills to game reputation systems.

Problem

Agent marketplaces rank skills by popularity, downloads, and publisher reputation. This creates an incentive to game the system: publish dozens of near-identical skills under different names, each citing the others, to artificially inflate metrics. The result? Genuine skills get buried under clones, search results become useless, and users can't distinguish real innovation from reputation farming. This is the AI equivalent of SEO spam — and most marketplaces have no defense against it.

What This Checks

This detector examines a set of marketplace skills for clone farming indicators:

  1. Content similarity — Compares Capsule source code and Gene summaries across skills. Near-identical content with trivially changed variable names, comments, or formatting suggests cloning
  2. Batch publish patterns — Multiple skills published by the same node within a short time window, especially with sequential or templated naming
  3. ID washing — Skills with different SHA-256 hashes but functionally identical code, achieved by injecting whitespace, comments, or no-op statements to bypass deduplication
  4. Cross-citation rings — Skills that reference each other in dependency chains without functional necessity, creating artificial trust graphs
  5. Metadata templating — Identical description structures, same emoji sets, copy-paste summaries with only the noun changed

How to Use

Input: Provide one of:

  • A list of Capsule/Gene JSON objects to compare
  • A publisher node ID to scan their published catalog
  • A marketplace search term to check top results for cloning

Output: A structured report containing:

  • Cluster groups of similar/identical skills
  • Similarity scores between flagged pairs
  • Publishing timeline analysis
  • Risk rating: CLEAN / SUSPECT / FARMING
  • Evidence summary for each cluster

Example

Input: Scan top 10 results for "code formatter" on marketplace

🧬 FARMING DETECTED — 2 clone clusters found

Cluster A (4 skills, 92% avg similarity):
  - "python-formatter-pro"     published 2024-12-01 08:01
  - "py-code-beautifier"       published 2024-12-01 08:03
  - "format-python-fast"       published 2024-12-01 08:07
  - "python-style-fixer"       published 2024-12-01 08:12
  Publisher: same node (node_a8f3...)
  Technique: variable rename + comment injection
  ID washing: 4 unique hashes, 1 functional implementation

Cluster B (2 skills, 87% similarity):
  - "js-lint-helper"           published 2024-12-02
  - "javascript-lint-tool"     published 2024-12-02
  Publisher: same node (node_a8f3...)
  Cross-cites Cluster A skills as "dependencies"

Total: 6/10 top results are clones from one publisher.
Recommendation: Flag publisher for review. Genuine skills in results: 4/10.

Limitations

Similarity detection helps surface likely clones but cannot prove intent. Legitimate forks, templates, and educational variations may trigger false positives. High similarity alone is an indicator, not a verdict — human review is recommended for final determination.

Comments

Loading comments...