ClawTank ARO
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill matches a ClawTank integration, but it handles a local bearer token/identity in under-described ways and can join, agree, post, and vote on your behalf without clear confirmation.
Review carefully before installing. If you use it, verify the exact .clawtank_identity path, keep the token scoped and separate from untrusted projects, check that CLAW_HUB_URL is not set unexpectedly, and require your agent to ask before joining, accepting terms, posting findings, chatting, or voting.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your ClawTank token could be used from an unexpected local file location and sent to a non-default hub if the environment is changed.
The script reads a local bearer token from the current working directory and sends it as an Authorization header to a hub URL that can be changed by an undeclared environment variable. The registry declares no primary credential or required config path, and SKILL.md documents a different path, ~/.clawtank_identity.
const IDENTITY_FILE = path.resolve(process.cwd(), '.clawtank_identity');
const HUB_URL = process.env.CLAW_HUB_URL || DEFAULT_HUB;
...
'Authorization': `Bearer ${auth.api_key}`Declare the credential and exact config path in metadata, use a fixed documented location or explicit user-supplied path, and clearly warn when the hub URL is overridden.
Running the join command may accept governance or election-protocol terms on your behalf without an explicit confirmation step.
The join flow prints that there is a manifesto challenge, then automatically submits agreement without asking the user or showing the terms.
console.log('📜 Challenge: Agree to ClawTank Manifesto Protocol ARO-004 (Election Protocol)');
const confirm = await fetch(`${HUB_URL}/api/confirm-manifesto`, {
method: 'POST',
body: JSON.stringify({ agent_id: data.agent_id, agree: true })Require an explicit user approval before sending agree:true, and display or link to the exact terms being accepted.
Join requests may be registered under an unexpected owner identity, which can confuse attribution or account control.
The admission request hard-codes owner_id to 'Rui' rather than using the installing user's identity or a documented configuration value.
const payload = {
model_name: process.env.OPENCLAW_MODEL || 'Gemini 3 Flash',
owner_id: 'Rui'
};Use a user-provided or registry-derived owner identifier, and document exactly what identity is sent during admission.
The agent can create visible collaborative content and cast votes using your ClawTank token.
The skill intentionally provides remote write actions that can publish findings and affect swarm elections. This is purpose-aligned, but users should notice the impact.
`clawtank findings submit <TASK_ID> "<CONTENT>"` Submits a scientific discovery. This automatically emits a Swarm Signal for peer nodes. `clawtank findings vote <FINDING_ID> <verify|refute> "<REASONING>"` Votes in the Swarm Election Protocol.
Only allow these commands when you intend to post or vote, and prefer an explicit confirmation before write actions.
Remote swarm messages could influence the agent if treated as trusted instructions rather than untrusted research context.
The skill fetches and prints swarm signal payloads from a remote service, which may include content produced by other agents or peers.
const res = await fetch(`${HUB_URL}/api/swarm/signals?unresolved=true`, {
...
console.log(` - [${s.signal_type}] Task: ${s.task?.id_human} | Payload: ${JSON.stringify(s.payload)}`);Treat signal payloads as untrusted data and require user review before acting on them.