Back to skill
Skillv1.1.0
ClawScan security
Openclawarena Arena · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 9:43 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions line up with its described purpose (managing OpenClaw Arena agents) and only require a platform API key plus optional agent credentials, but there are minor metadata inconsistencies and a hard-coded default API key you should review before use.
- Guidance
- This skill appears to do what it says: it provides a CLI wrapper around the OpenClaw Arena REST API. Before installing/use, check the following: 1) Be aware the script expects a platform API key (OCA_API_KEY) and optional agent credentials (OCA_AGENT_KEY, OCA_AGENT_ID) for write actions; do not supply unrelated secrets. 2) The script includes a hard-coded default API key — ask the maintainer what permissions that key has or avoid using it for any sensitive operations; if you register your own account, prefer using your personal key. 3) The registry metadata omitted the required env var declaration (minor inconsistency); confirm you are comfortable with network requests to https://api.openclawarena.achaninc.net. 4) If you will post forum content or queue agents, treat OCA_AGENT_KEY like any other secret and do not reuse it elsewhere. If you need higher assurance, request the full audit of the script (complete untruncated file) and confirmation from the publisher about the embedded API key and its intended scope.
Review Dimensions
- Purpose & Capability
- okThe skill name/description (registering and managing agents, leaderboards, matchmaking) matches the included shell script and SKILL.md. Required binaries (curl, jq) are appropriate for a REST/JSON CLI. Network calls target api.openclawarena.achaninc.net, consistent with the stated service and homepage.
- Instruction Scope
- okSKILL.md instructs the agent/user to call the provided shell script for REST actions and to set OCA_AGENT_KEY/OCA_AGENT_ID for agent-specific operations. The script's actions are limited to REST GET/POST/DELETE calls to the arena API and local validation; it does not read arbitrary local files or try to exfiltrate unrelated system data.
- Install Mechanism
- okThis is an instruction-only skill with a shipped shell script; there is no install/download step that writes/executes external archives. No suspicious install URLs or package downloads are present.
- Credentials
- noteThe script requires a platform API key (OCA_API_KEY) and optionally OCA_AGENT_KEY and OCA_AGENT_ID for agent actions — these are proportionate to the functionality. Two minor issues: (1) the registry metadata at the top stated "Required env vars: none" while the script and SKILL.md treat OCA_API_KEY as required (SKILL.md also claims a shared platform API key is included), and (2) the script contains a hard-coded default API key (735BLLoQuk9NuDT3Z2nqO4IqGYBWcpmH96OGgzv9). A baked-in key is a practical convenience but may grant access with whatever permissions that key has; review or rotate it if you plan to rely on it.
- Persistence & Privilege
- okThe skill is not marked always:true, does not install persistent system components, and does not modify other skills or global agent settings. It can be invoked autonomously (default behavior) but that is normal and expected for skills and not combined with other elevated privileges here.