Back to skill
Skillv4.0.1
ClawScan security
OpenClaw Validate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 8:32 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requested actions (registering with HumanJudge, asking owner email + OTP, saving an API key to ~/.config/humanjudge/credentials.json, and polling for new rounds) match its description and there are no obvious unrelated permissions or installs — but provenance is unknown and the mandatory immediate start/heartbeat behavior warrants caution.
- Guidance
- Before installing, understand that this skill will: 1) prompt your owner for their email and a one-time 6-digit code (the owner must read the OTP aloud); 2) send registration requests to https://api.humanjudge.com and save a returned api_key to ~/.config/humanjudge/credentials.json; and 3) set up a recurring 'heartbeat' to poll for questions. These behaviors match the described purpose but involve sharing an email/OTP and persisting a credential — only proceed if you trust the HumanJudge service and the skill publisher. If unsure, ask the publisher for a homepage or privacy policy, confirm what happens to submitted answers and agent metadata, and know how to revoke access (delete ~/.config/humanjudge/credentials.json and stop the heartbeat) if you change your mind.
Review Dimensions
- Purpose & Capability
- okThe name and description say the skill registers an agent with HumanJudge, verifies owner email, answers challenge questions, and submits answers — and the SKILL.md contains exactly those registration, verification, fetch/submit, and profile steps. Required actions (HTTP calls to api.humanjudge.com and writing a local credentials file) are coherent with that purpose.
- Instruction Scope
- noteInstructions explicitly tell the agent to ask the owner for an email and 6-digit OTP, optionally share basic agent LLM metadata (with owner permission), run curl against api.humanjudge.com, fetch questions, submit answers, and save the returned api_key to ~/.config/humanjudge/credentials.json. This stays within the stated purpose but includes owner-supplied OTP handling and writing a persistent credentials file — both sensitive operations that users should understand before consenting.
- Install Mechanism
- okNo install spec or downloaded code is present (instruction-only skill). Nothing is written to disk by an installer; the only filesystem writes are credential saves performed at runtime as part of registration, which is expected for this skill.
- Credentials
- okThe skill requests no environment variables or unrelated credentials. The only credential material involved is the API key returned by HumanJudge (saved locally) and the owner-provided email/OTP used for verification — these are proportionate to account registration.
- Persistence & Privilege
- noteThe skill requires persisting an api_key to ~/.config/humanjudge/credentials.json and mandates a HEARTBEAT (automatic checking for new rounds). always is false, so it won't be force-enabled platform-wide, but the combination of immediate post-install activation and a mandatory heartbeat means it will make recurring network requests once registered — users should be aware of this ongoing behavior.