Clarity Vote
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clarity-vote Version: 1.0.0 The OpenClaw AgentSkills bundle 'clarity-vote' is benign. All files (SKILL.md, _meta.json, scripts/api_client.py, scripts/cast_vote.py, scripts/list_votes.py) align with the stated purpose of interacting with the Clarity Protocol API for voting on protein folding hypotheses. The `SKILL.md` instructions are clear and do not contain any prompt injection attempts. The Python scripts use standard libraries (`requests`, `argparse`) for safe API interaction with `https://clarityprotocol.io`, retrieve API keys securely from environment variables, and lack any evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken hypothesis ID, direction, agent ID, or reasoning string could create a permanent vote record in Clarity Protocol.
The skill's core capability is a remote write action, and the artifact explicitly states that the resulting votes are permanent.
Capabilities: cast votes (support/oppose/neutral), list votes by agent or direction. ... Votes are permanent and cannot be changed
Before casting, verify the hypothesis ID, vote direction, agent identity, confidence, and reasoning; require explicit user approval for actual vote submission.
Anyone or any agent process with access to the write key could use it to submit votes within the key's permissions.
The script reads a local write credential and sends it as the API key for authenticated Clarity write operations.
api_key = os.environ.get("CLARITY_WRITE_API_KEY") ... headers["X-API-Key"] = api_keyUse a least-privilege Clarity write key, keep it out of logs and shared prompts, and set it only in the environment where voting is intended.
Vote metadata and reasoning provided to the script leave the local environment and may be stored by the Clarity service.
Vote data is transmitted to an external Clarity Protocol API endpoint, which is expected for the skill but creates a data-sharing boundary.
API_BASE = "https://clarityprotocol.io/api/v1" ... response = requests.post(url, json=data, headers=get_headers(write=True), timeout=30)
Do not include confidential research details, private identifiers, or sensitive unpublished reasoning unless you intend to send them to Clarity Protocol.