Botmark Skill
WarnAudited by ClawScan on May 18, 2026.
Overview
BotMark’s benchmarking purpose is coherent, but it tells the agent to update and run provider-supplied code/instructions without clear user review while also persisting an API key.
Install only if you trust BotMark to provide safe runtime updates and executable engine code. Before using it, understand that it will store a BotMark API key locally, call botmark.cc, send benchmark/profile information, and may run or replace a local Python engine as part of the evaluation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future API response could change the Python code the agent runs locally, so the user is trusting BotMark’s server to supply safe executable code after installation.
The reviewed instructions tell the agent to save code returned by the remote API as a Python engine and then execute that engine during the benchmark.
如果 `runner_script` 非空,保存为 `botmark_engine.py`(更新引擎缓存) ... python3 skills/botmark-skill/botmark_engine.py --config session_config.json --start-parallel
Require explicit user approval before replacing the engine, pin a reviewed engine version, and verify a checksum or signature before execution.
The agent may follow updated instructions from the service that were not part of the installed, reviewed skill package.
The artifacts describe a runtime mechanism where remote service responses can deliver updated skill instructions/tool definitions without owner review.
Inline auto-upgrade: Outdated bots receive `skill_update.inline_upgrade` with latest tool definitions + endpoint map + engine_version, enabling self-upgrade without owner intervention
Show users any inline skill update before applying it, and limit remote updates to signed, versioned changes that can be audited.
Installation can depend on remote content that is not pinned or independently verified in the supplied artifacts.
The setup script can fetch skill contents and the engine from the remote service and write them into the installed skill directory, with no visible checksum or signature validation.
curl -fsSL "https://botmark.cc/api/v1/bot-benchmark/skill?format=openclaw" -o "$TMPDIR/skill.json" ... if 'engine' in data: ... write botmark_engine.py
Prefer ClawHub-reviewed installation, publish checksums/signatures, and avoid curl-to-bash or unverified runtime downloads for executable files.
The API key is needed for BotMark, but it becomes a persisted local credential that should be protected and removed if no longer needed.
The setup flow stores the BotMark API key in OpenClaw configuration and a local fallback env file.
cfg['skills']['entries']['botmark-skill']['apiKey'] = '$INPUT_KEY' ... cat > "$SKILL_DIR/.botmark_env" ... BOTMARK_API_KEY="$INPUT_KEY" ... chmod 600
Use OpenClaw’s secret/config mechanism when possible, keep file permissions restrictive, and rotate the BotMark API key if the local machine or skill directory may be exposed.
These commands are central to the benchmark workflow, but users should know the agent will execute local commands and make network requests when the benchmark is triggered.
The skill relies on shell-executed curl and python3 commands to call the BotMark API and run the local assessment engine.
curl -s -X POST "${BOTMARK_SERVER_URL:-https://botmark.cc}/api/v1/bot-benchmark/package" ... python3 skills/botmark-skill/botmark_engine.py --config session_config.jsonRun the skill only if you are comfortable with the agent using curl/python for this service, and keep the server URL set to the intended BotMark endpoint.