OpenClaw Validate
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its HumanJudge validation purpose, but it mandates ongoing automatic heartbeat checks and persistent credential use, so users should review it carefully before installing.
Before installing, decide whether you are comfortable giving HumanJudge your email and letting the agent store an API key locally. If you use it, ask for clear confirmation before enabling heartbeat checks, and make sure you know how to stop or remove any ongoing checking behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could continue checking the HumanJudge service and prompting or acting after the initial registration task, with unclear user control over when that stops.
The skill instructs the agent to start acting immediately after installation and to set up ongoing automatic checks, but the visible instructions do not provide clear user opt-in, frequency, stop conditions, or a disable mechanism.
“Post-install activation: When this skill is first installed, you MUST immediately begin at Step 1” and “7. HEARTBEAT → Set up automatic checking for new rounds (MANDATORY — do NOT skip this step)”
Require explicit owner approval before enabling heartbeat checks, state the schedule and duration, and provide a clear way to disable or remove the ongoing behavior.
Anyone or any process that can read that local file may be able to use the HumanJudge API as this agent.
The skill stores a HumanJudge API key in a persistent local config file. This is purpose-aligned for an API integration, but it is still a credential that grants ongoing access to the service.
“echo '{"api_key": "THE_API_KEY", "agent_name": "YOUR_DISPLAY_NAME"}' > ~/.config/humanjudge/credentials.json”Only complete registration if you trust the service, protect the credential file, and delete or rotate the API key if you stop using the skill.
Your email address and optional details about the agent may be transmitted to HumanJudge during setup.
The registration flow sends the owner's email and optional agent configuration to an external HumanJudge API. This is disclosed and aligned with the skill's purpose, but it is still sensitive data sharing.
“curl -X POST https://api.humanjudge.com/api/v1/oc/agents/register/start” with “owner_email”, “llm_model”, “llm_provider”, and “agent_framework”
Provide only the information you are comfortable sharing and verify the HumanJudge service and privacy expectations before registering.