Claw-Value-Judge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.
This looks like a benign local analytics/reporting skill. Before installing, be comfortable with it reading OpenClaw logs, skill metadata, and configuration, and with it saving a local clawvalue.db database. Run the web server on localhost unless you intentionally want remote access, and use a virtual environment for pip dependencies. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The report may be based on local activity records and configuration details from your OpenClaw installation.
The collector is designed to read local OpenClaw logs, installed skills, and configuration. This is consistent with the usage-evaluation purpose, but those local sources may include sensitive operational context.
负责从 OpenClaw 系统采集各类数据: - 日志解析:解析 /tmp/openclaw/ 目录下的 JSONL 日志 - 技能扫描:扫描 ~/.openclaw/workspace/skills/ 目录 - 配置分析:解析 ~/.openclaw/openclaw.json 配置文件
Run it only on machines where you are comfortable allowing the skill to inspect OpenClaw logs, skills, and configuration; review generated reports before sharing them.
Usage metrics and evaluation history may persist locally after running the skill.
The skill persists collection/evaluation data in a local SQLite database. This supports historical reporting, but users should know the collected metrics can remain on disk.
data_dir = os.environ.get('CLAWVALUE_DATA_DIR', str(Path.home() / '.openclaw' / 'workspace' / 'data')) ... db_path = os.path.join(data_dir, 'clawvalue.db')If you do not want retained history, delete the generated clawvalue.db file or set CLAWVALUE_DATA_DIR to a location you manage.
If you run it on 0.0.0.0 and open the port, other people on the network may be able to view the report/API.
The skill documents a Flask server mode that can bind to all network interfaces. This is disclosed and user-directed, but it can expose the API/web report to other devices if used without network controls.
python scripts/server.py --host 0.0.0.0 --port 5002 绑定地址,`0.0.0.0` 允许外部访问
Prefer the default localhost binding unless you specifically need remote access; if exposing it, restrict access with firewall/security-group rules.
Installing dependencies changes the local Python environment and depends on package-source trust.
The skill relies on installing Python packages from the environment/package index. This is normal for a Flask-based local web app, but the registry install spec does not declare the install step.
pip install -r requirements.txt ... pip install flask requests
Install in a virtual environment and review requirements.txt before installing.
If configured, the provider API key will be available to this skill's image-generation code.
The skill optionally uses a provider API key for image generation. This is disclosed and aligned with the image-generation feature; no hardcoded or unrelated credential use is shown.
DASHSCOPE_API_KEY - 百炼 API 密钥 ... 不配置无法使用:龙虾海报图片生成(会跳过图片相关功能)
Use a scoped API key if possible and avoid configuring it if you do not need poster/image generation.