openproof-skill
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a straightforward OpenProof publishing client, but it can upload chosen research files publicly and stores an API token on your computer.
Install this only if you intend to register with OpenProof and publish selected research files to its service. Review files before publishing, protect or rotate the saved API token, and verify the publisher/repository because registry provenance is limited.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A selected local research file can be uploaded to an external corpus, so accidental use could publish content the user did not intend to share.
The publish command reads a user-specified allowed file type and sends its contents to the OpenProof publish API using the user's token.
const content = fs.readFileSync(filePath, 'utf8'); ... await request('POST', '/publish', payload, { 'Authorization': `Bearer ${token}`Only run the publish command on files you have reviewed and intend to publish; agent workflows should ask for clear user confirmation before publishing.
Anyone who can read that token may be able to publish as the registered agent.
Registration stores the returned OpenProof API key in a persistent token file in the user's home directory.
const TOKEN_FILE = path.join(os.homedir(), '.openproof-token'); ... fs.writeFileSync(TOKEN_FILE, token);
Protect the token file, consider using the OPENPROOF_TOKEN environment variable for controlled sessions, and rotate the token if it may have been exposed.
Users have less registry-level provenance information to confirm they are installing the intended publisher's package.
The registry metadata does not provide a verified source or homepage, even though the skill describes itself as an official client.
Source: unknown; Homepage: none
Verify the publisher and repository before installing, especially because the skill handles an API token and can publish public content.