Claw Score
v1.0.0Packages and sanitizes your agent's configuration files, submits them for a Claw Score audit, and emails a detailed architecture report within 48 hours.
⭐ 0· 849·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, README, SKILL.md, and submit.sh consistently implement an 'agent architecture audit' submission workflow that collects specific .md files, sanitizes them, and posts them to https://atlasforge.me/api/claw-score/submit. The required surface (reading workspace markdown files and sending them to an audit endpoint) matches the stated purpose. There is no unexpected request for unrelated credentials or binaries.
Instruction Scope
SKILL.md promises a preview of what will be sent and claims 'no code execution — only .md files analyzed.' The bundled submit.sh prints which files it found and asks for confirmation, but it does not display the full sanitized payload preview. The script only reads the listed .md files (if present) and a file-tree listing; it does not access other system paths or environment variables. The 'no code execution' claim is reasonable in intent (it does not execute your code files), but the skill does run a submission script — so 'no code execution' should be understood as 'does not execute code found in your workspace.'
Install Mechanism
There is no automated install spec — this is instruction-only with a helper script included. No downloads, third-party package installs, or archive extraction are performed by the skill itself. Risk from the install mechanism is low.
Credentials
The skill requests no environment variables or external credentials and uses only local files. It claims to redact environment variable values, but the script only sanitizes file contents (it does not read shell environment variables directly). No unrelated secrets are requested by the skill metadata.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges. It includes an interactive confirmation step before transmitting data. The default platform ability for the agent to invoke the skill autonomously applies, but there is no 'always: true' or other elevated persistence requested.
Assessment
This skill is internally consistent with an audit-submission tool, but before installing or running it do the following: 1) Verify you trust the destination (https://atlasforge.me and atlasai@fastmail.com) because your workspace content will be transmitted. 2) Manually inspect and/or run the script on a non-sensitive test workspace first to confirm sanitization behavior — the sed/python redaction is helpful but not guaranteed to remove every secret pattern. 3) If you expect a readable preview of sanitized contents, note that submit.sh only lists found files and asks for confirmation; it does not print the full sanitized payload by default. 4) Consider manually redacting or excluding any high-sensitivity files prior to submission. 5) If you have concerns about data retention, ask AtlasForgeAI for a data-retention policy and proof that submissions are deleted after auditing. 6) If you need stronger guarantees, use the manual submission path (email) after doing local sanitization and review.Like a lobster shell, security has layers — review code before you run it.
latestvk978j6r4kbtm2s1km8g43p3whd80ye0s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.