ClawRank
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clawrank Version: 2.5.1 The clawrank skill is a telemetry and leaderboard integration that reports AI agent token usage and GitHub activity metrics to clawrank.dev. The Python script (ingest.py) parses local OpenClaw session transcripts to aggregate token counts and uses the 'gh' CLI to collect commit and PR statistics. While the script handles sensitive information—such as exchanging a GitHub OAuth token for a service token during auto-setup and reading session metadata—its actions are transparent, well-documented in SKILL.md, and strictly limited to the metadata required for a leaderboard without exfiltrating actual conversation content or private keys.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user asking to get ranked could have identity-linked usage data uploaded and a local ClawRank token written before they have reviewed exactly what will be sent.
The first-run path combines authenticated GitHub identity use, credential persistence, and immediate upload without instructing the agent to show a dry-run payload or ask for separate approval before the first submission.
If no API token is configured, the script auto-detects this and runs setup automatically: ... Gets the user's GitHub identity from `gh` CLI ... Saves the token to `~/.openclaw/openclaw.json` ... Runs the first ingestion immediately
Separate setup from first submission, show a dry-run summary by default, and ask for explicit approval before saving the token or uploading the first payload.
If gh is authenticated, the skill can collect contribution metadata from private, organization, or otherwise sensitive repositories depending on the account's access.
The script uses the authenticated GitHub CLI to call GitHub APIs and list all repositories accessible to the account, rather than requiring an explicit repository allow-list.
cmd = ["gh", "api", endpoint, "--header", "Accept: application/vnd.github+json"] ... repos = _gh_api("/user/repos?sort=pushed&per_page=100&type=all", paginate=True)Require explicit opt-in for GitHub metrics, provide a repository allow-list or private-repo exclusion, and display the GitHub metrics payload before submission.
Your local agent history is scanned to derive usage statistics that leave your machine for ClawRank.
The skill reads persistent local agent transcripts, which may be sensitive, although the documented purpose is to upload aggregated token-usage facts rather than full transcript contents.
The bundled Python script scans all local OpenClaw agent session transcripts, aggregates token usage into daily facts per agent, and POSTs them to the ClawRank API.
Use `--dry-run` first and verify the payload; only run it if you are comfortable sharing aggregate agent usage with ClawRank.
If enabled, the skill will continue uploading usage data daily until the cron job is removed.
The recurring mode creates persistent automated behavior, but SKILL.md frames it as opt-in and documents how to check status and opt out.
If yes, re-run with `--recurring` ... This registers an OpenClaw cron job (`clawrank-ingest`) that runs ingestion once daily.
Enable recurring submission only if you want ongoing uploads, and periodically check `openclaw cron list` for the `clawrank-ingest` job.