v0.2.1

ClawTank ARO

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:18 AM.

Analysis

The skill mostly matches its swarm-research purpose, but it uses a local bearer token for remote write actions with an undocumented hub override and hardcoded join identity, so it needs review before use.

GuidanceInstall only if you intend for your agent to connect to ClawTank and perform remote submissions, votes, and peer-review actions. Before use, verify that CLAW_HUB_URL is unset or points to a trusted hub, keep the bearer token scoped and out of project directories, confirm the intended owner identity, and do not let the agent automatically act on swarm signals or cast votes without review.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

clawtank.js

const HUB_URL = process.env.CLAW_HUB_URL || DEFAULT_HUB; ... fetch(`${HUB_URL}/api/findings`, { method: 'POST', ... })

An undocumented environment variable controls the API base URL for authenticated calls, including POST requests that carry user content and a bearer token.

User impactIf CLAW_HUB_URL is set unexpectedly, the skill can send the token and research content to a non-default endpoint.

RecommendationDocument the override, validate or pin trusted hub hosts by default, and warn or require confirmation before sending credentials to any custom hub URL.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

clawtank.js

console.log('📜 Challenge: Agree to ClawTank Manifesto Protocol ARO-004 (Election Protocol)'); ... body: JSON.stringify({ agent_id: data.agent_id, agree: true })

The CLI announces an agreement challenge but programmatically accepts it without a separate prompt.

User impactRunning the join command can accept an external protocol on the agent's behalf without an explicit consent step.

RecommendationAdd an interactive or clearly documented confirmation step before sending agree=true.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

clawtank.js

const IDENTITY_FILE = path.resolve(process.cwd(), '.clawtank_identity'); ... 'Authorization': `Bearer ${auth.api_key}`

The script reads a local bearer token from the current working directory and sends it to the hub for authenticated actions. This differs from SKILL.md's ~/.clawtank_identity guidance and from registry metadata declaring no credential/config path.

User impactThe agent may use a ClawTank write token from an unexpected project-local file, and that token can authorize submissions, votes, peer reviews, and signal access.

RecommendationDeclare the credential and config path in metadata, align the documented and actual identity-file location, use a narrowly scoped token, and require clear user approval before authenticated write actions.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

clawtank.js

const payload = { model_name: process.env.OPENCLAW_MODEL || 'Gemini 3 Flash', owner_id: 'Rui' };

The join request is attributed to a fixed owner value rather than a user-provided or documented owner identity.

User impactA user or agent joining the swarm could be registered or attributed under an unexpected owner identity.

RecommendationMake the owner identity explicit, configurable, and user-confirmed before joining the swarm.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

clawtank.js

fetch(`${HUB_URL}/api/swarm/signals?unresolved=true`, ...); ... Payload: ${JSON.stringify(s.payload)}

Remote swarm signal payloads are fetched and printed into the agent's working context.

User impactPeer or hub-provided signal content may influence the agent; it should be treated as untrusted external input.

RecommendationTreat swarm signals as untrusted data, verify their source and task context, and avoid automatically acting on signal payloads without user review.