RateMyClaw
v0.5.1Score your OpenClaw agent setup against similar agents. Scans your workspace, generates a local embedding for privacy-preserving semantic matching, and submi...
⭐ 1· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the code scans a workspace, maps signals to a fixed taxonomy, generates a local embedding (MiniLM or TF-IDF) and submits tags/embedding to ratemyclaw.com. The only credential referenced is an optional RATEMYCLAW_API_KEY which is appropriate for the stated remote API.
Instruction Scope
The runtime instructions and scripts perform a local workspace scan and may read selected files to detect tags, but the submit path only sends structured tags, skill slugs, maturity counts and the numeric embedding. The SKILL.md and code both assert that raw file contents and secrets are not transmitted. Minor documentation inconsistency: one place in SKILL.md lists '384 floats' as what gets sent (true for MiniLM) but TF-IDF produces a taxonomy-sized vector — the code handles either case and records the embedding_method. Review the generated_profile.json before submission as the skill instructs.
Install Mechanism
This is an instruction-only skill with included Python scripts and a small requirements.txt (scikit-learn). No opaque downloads or extracted archives are used. The scripts may invoke pip (or run pip via subprocess) to install scikit-learn and the user is prompted; sentence-transformers is suggested optionally (large model from PyPI/HuggingFace). The install behavior is proportionate to embedding generation.
Credentials
Only an optional RATEMYCLAW_API_KEY is used and documented. If absent, the script prompts before creating a free key via POST to the skill's documented API endpoint and saves it locally as .ratemyclaw_key with restrictive file permissions. No other unrelated credentials or environment variables are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will create a local key file (.ratemyclaw_key) in the skill directory when you accept key generation — this is reasonable and is written with chmod 600. The skill does not attempt to modify other skills or system-wide configs.
Assessment
This skill appears to do what it says: it scans your workspace locally, produces structured tags, optionally generates a local embedding, and submits only tags/embedding/maturity counts to ratemyclaw.com. Before using it: (1) Inspect the generated_profile.json (the skill asks you to review tags) to confirm nothing sensitive was mis-tagged. (2) Be aware embeddings can be a sensitive fingerprint; only send them if you accept that risk. (3) The script may prompt to install scikit-learn (or you can manually run pip install -r requirements.txt); sentence-transformers is optional and large. (4) If you do not want any network calls, do not approve API key generation or submission. (5) Note a small doc mismatch: TF-IDF embeddings are taxonomy-sized (not always 384 floats) — this is an informational inconsistency only.Like a lobster shell, security has layers — review code before you run it.
latestvk979xa5zspdjwjhm0wfsvvrrqh8466kc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.