ClawHub

CleanApp Report Submission

v0.1.1

Submit real-world issue reports (trash, hazards, infrastructure problems) to CleanApp's global routing pipeline. Your observations become actionable — routed...

0· 1k·0 current·0 all-time
by@borisolver

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for borisolver/cleanapp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "CleanApp Report Submission" (borisolver/cleanapp) from ClawHub.
Skill page: https://clawhub.ai/borisolver/cleanapp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install borisolver/cleanapp

ClawHub CLI

Package manager switcher

npx clawhub@latest install cleanapp
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, SKILL.md, and code all align: the skill submits problem reports to CleanApp's /v1/reports:bulkIngest. The code only makes HTTPS calls to the declared base URL and manipulates user-provided JSON payloads. Minor packaging inconsistency: the top-level registry metadata in the provided bundle claims 'Required env vars: none' and 'Primary credential: none', but the package manifest and SKILL.md declare CLEANAPP_API_TOKEN as a required secret. This appears to be a packaging/metadata error rather than functional misalignment.
Instruction Scope
SKILL.md and scripts restrict behavior to building payloads, applying optional location/media redaction, and POSTing to CleanApp. There is a true dry-run mode that prints payload without network. The runtime instructions do not request reading unrelated system files or contacting other endpoints.
Install Mechanism
No remote downloads or install spec; this is an instruction+script package with all referenced scripts included. No dynamic fetching of remote scripts or execution of code from arbitrary URLs.
Credentials
Runtime code and SKILL.md require only a single bearer token (CLEANAPP_API_TOKEN) and optionally CLEANAPP_BASE_URL plus non-sensitive agent metadata env vars. That credential is proportionate to the described purpose. However, the registry-level 'Requirements' block provided to the evaluator lists no required env vars, while manifest.json and SKILL.md declare CLEANAPP_API_TOKEN — this mismatch should be resolved (manifest/SKILL.md are correct for runtime behavior).
Persistence & Privilege
The skill does not request 'always: true' or any elevated platform privileges, does not modify other skills, and does not persist arbitrary tokens to other config locations. It performs standard client-side HTTP calls only when invoked.
Assessment
This package appears to do exactly what it says: build JSON report payloads and POST them to CleanApp. Before installing or running it, consider the following: - Expect to provide one secret: CLEANAPP_API_TOKEN (a Fetcher API key). Store it as a secret in your platform rather than pasting into chat or logs. The manifest and SKILL.md require it even though the top-level registry note omitted it. - Test using --dry-run first to confirm payload shape and that approximate-location / no-media options behave as you expect. - Use a low-privilege / quarantine fetcher key for initial testing and rotate/revoke it after use. Don’t use a production/promoted key until you’ve validated behavior. - Review the included scripts (ingest.py and scripts/submit_report.sh) yourself — they are small and readable; there is no remote fetching or obfuscated code in the package. - If you plan to run this in an automated agent, ensure the token is scoped and monitored (rate limits, quotas, and ability to revoke). The only real issue is the metadata mismatch about required env vars (packaging error). If that is corrected, the skill is internally coherent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b615n529ze5n5rdtxzzwpfx816kwe
1kdownloads
0stars
2versions
Updated 2mo ago
v0.1.1
MIT-0
@borisolver
latest
Download

SKILL: CleanApp Ingest v1 (OpenClaw/ClawHub)

This is a skill package that lets an agent submit reports into CleanApp using the Fetcher Key System:

  • POST /v1/fetchers/register (one-time key issuance)
  • POST /v1/reports:bulkIngest (bulk ingest, quarantine-first)
  • GET /v1/fetchers/me (introspection)

This is not a long-lived agent running inside the CleanApp backend. It’s a client-side integration that talks to CleanApp over HTTPS.

Why This Is Safe (Compartmentalized)

  1. The only secret in the agent is a revocable CleanApp API key (CLEANAPP_API_TOKEN).
  2. New keys default to a quarantine lane on the backend:
    • Stored + analyzed
    • Not publicly published
    • Not routed to brands/municipalities
    • Not rewarded
  3. The backend enforces:
    • rate limits / quotas
    • idempotency (source_id)
    • kill switches (revoke/suspend)

So even if an agent is prompt-injected, the blast radius is limited to “submitting more quarantined reports” until the key is revoked.

Required Secret

  • CLEANAPP_API_TOKEN (Bearer token). Get it once via:
    • POST /v1/fetchers/register (see references/API_REFERENCE.md)
    • Store it as a ClawHub/OpenClaw secret; never paste into chat logs.

Optional env:

  • CLEANAPP_BASE_URL (default https://live.cleanapp.io)

Data Handling (Minimal by Default)

This skill submits:

  • title, description (text)
  • optional lat/lng (location)
  • optional media[] metadata (URL/SHA/content-type)

Recommended low-risk defaults:

  • --approx-location (round coordinates to reduce precision)
  • --no-media (drop media metadata unless needed)

Idempotency (Important)

Every item must include a stable source_id. The backend enforces:

  • UNIQUE(fetcher_id, source_id)
  • retries won’t duplicate rows if you reuse the same source_id

Usage

Bulk ingest from JSON (recommended)

export CLEANAPP_API_TOKEN="cleanapp_fk_live_..."
python3 ingest.py \\
  --base-url https://live.cleanapp.io \\
  --input examples/sample_items.json \\
  --approx-location \\
  --no-media

Dry run (no network)

python3 ingest.py --input examples/sample_items.json --dry-run

Single-item helper (shell)

This is useful for quick manual submissions while debugging.

export CLEANAPP_API_TOKEN="cleanapp_fk_live_..."
./scripts/submit_report.sh --title "Broken elevator" --description "Stuck on floor 3" --lat 34.0702 --lng -118.4441 --approx-location

Promotion (Out of Quarantine)

Promotion is a reviewed process. As you build reputation, CleanApp can:

  • raise caps
  • allow public publishing/routing/rewards

See:

  • POST /v1/fetchers/promotion-request
  • GET /v1/fetchers/promotion-status

References

  • Swagger UI: https://live.cleanapp.io/v1/docs
  • OpenAPI YAML: https://live.cleanapp.io/v1/openapi.yaml
  • references/API_REFERENCE.md in this package

Comments

Loading comments...