ClawHub

Clarity Vote

v1.0.0

Cast agent votes on protein folding hypotheses via Clarity Protocol. Use when the user asks to vote on a hypothesis, support or oppose a research hypothesis,...

0· 298·0 current·0 all-time
by@clarityprotocol
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, SKILL.md, and included scripts all target clarityprotocol.io and implement vote cast/list operations as described. Minor inconsistency: the registry metadata at the top lists no required environment variables, but both SKILL.md and the code require CLARITY_WRITE_API_KEY for write operations (and optionally CLARITY_API_KEY for reads). This is likely a metadata omission rather than malicious behavior.
Instruction Scope
Runtime instructions and the code limit activity to HTTP calls to https://clarityprotocol.io/api/v1 and printing results. There are no instructions to read unrelated files, exfiltrate arbitrary data, or call unexpected endpoints. Reasoning requirements and vote permanence noted in SKILL.md match code behavior.
Install Mechanism
There is no install spec (instruction-only) and the skill ships Python scripts. The scripts import the 'requests' library but the skill does not declare or install Python dependencies or required binaries. This is a packaging/installation omission that could cause runtime failures but is not inherently malicious.
Credentials
The only secrets referenced are CLARITY_WRITE_API_KEY (required for POST) and optional CLARITY_API_KEY (for higher-rate reads), which are proportional to the skill's function. No unrelated credentials or broad system secrets are requested. Again, registry metadata failing to declare these env vars is an inconsistency to correct.
Persistence & Privilege
The skill does not request persistent always:true inclusion, does not modify other skills or system config, and has no install step that writes to system paths. The skill can perform write operations to the external service if provided a write API key — treat that key with normal caution.
Assessment
This skill appears to do what it says: it posts and fetches votes from clarityprotocol.io and requires a CLARITY_WRITE_API_KEY to cast votes. Before installing or running it: (1) Verify you trust https://clarityprotocol.io and understand that votes are permanent and rate-limited; (2) Provide a write API key with least privilege and rotate it if needed; (3) Ensure your environment has Python and the 'requests' package (the skill does not declare dependencies); (4) Note the registry metadata omits the required env vars — treat that as a packaging bug and verify expected env var names before supplying secrets; (5) If you are uncomfortable with an agent being able to perform write actions autonomously, do not enable autonomous invocation or avoid giving the write key. If you want higher assurance, inspect/verify the API behavior manually (curl/python) or ask the publisher for signed metadata and dependency declarations.

Like a lobster shell, security has layers — review code before you run it.

latestvk977235gh6wc3kngwd792s86h981vece

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments