ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawrank

v1.0.0

Agent performance scoring system for OpenClaw agents. 7 dimensions scored 0-10, crab-themed tiers, evidence-based, with trajectory tracking. Use at session e...

1· 38·0 current·0 all-time
by@joeycacciatore3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and instructions all align: this is a performance-scoring rubric for agents. However, the SKILL.md claims it "Integrates with agent-sync for peer review" but the skill declares no required env vars, endpoints, or instructions for how to access agent-sync. That integration claim is unexplained and may be a missing or incomplete dependency.
Instruction Scope
Instructions are tightly scoped to scoring seven dimensions, formatting the report, and tracking trajectory. They require the agent to produce short evidence lines per dimension which will naturally use session context (conversation history). The spec does not explicitly instruct reading unrelated system files or secrets, but it does hint at posting/recording to agent-sync without describing what data is sent or how — this ambiguity could lead to unexpected transmission of session content.
Install Mechanism
Instruction-only skill with no install steps and no code files. That reduces surface area — nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is consistent with a local rubric. However, because it references agent-sync peer review, the lack of any declared credentials or endpoint is odd: if agent-sync requires auth, that requirement is not documented here.
Persistence & Privilege
always is false (normal) and the skill does not request persistent configuration or system-wide changes. Autonomous invocation is allowed by default — expected for skills — but consider whether you want the agent to trigger self-evaluations without explicit user consent.
What to consider before installing
This is an instruction-only scoring rubric and on its face is benign, but there are two things to check before enabling it broadly: (1) the SKILL.md says it "Integrates with agent-sync" but provides no endpoint, API, or credential instructions — ask the author how agent-sync integration works and whether it will send conversation content anywhere; (2) the rules require a one-line evidence entry per dimension, which means the agent will use session context (chat history, user prompts) to produce those lines — confirm you’re comfortable with that data being used/stored and whether peer review will transmit it externally. If you are unsure, test the skill in a restricted/sandboxed agent (or disable autonomous invocation) and verify where any peer-review data is posted and what auth it uses.

Like a lobster shell, security has layers — review code before you run it.

latestvk97afcxejsw90dgaadpqhwq9jx83y1xw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments