ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oraclaw Bandit

v1.0.0

A/B testing and feature optimization for AI agents. Pick the best option automatically using Multi-Armed Bandits and Contextual Bandits (LinUCB). No data war...

0· 99·0 current·0 all-time
by@whatsonyourmind

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for whatsonyourmind/oraclaw-bandit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Oraclaw Bandit" (whatsonyourmind/oraclaw-bandit) from ClawHub.
Skill page: https://clawhub.ai/whatsonyourmind/oraclaw-bandit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ORACLAW_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install oraclaw-bandit

ClawHub CLI

Package manager switcher

npx clawhub@latest install oraclaw-bandit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with requiring an API key for an external optimization service. Asking for a single ORACLAW_API_KEY is consistent with a hosted optimization API. Minor oddity: SKILL.md refers to a local/remote 'oraclaw-mcp/index.ts' to be executed via npx, which is not packaged with the skill and is not explained in the metadata.
!
Instruction Scope
SKILL.md instructs agents to add an MCP server executed via `npx tsx path/to/oraclaw-mcp/index.ts`. That instruction is vague about where the file comes from and what that MCP server will do. The skill asks agents to send context/history and rewards to the optimization tool (which may include user data or PII) but does not document endpoints, telemetry, or exactly how ORACLAW_API_KEY is used. This grants broad discretion and could result in transmitting sensitive conversational context to an external service.
Install Mechanism
There is no formal install spec or bundled code (instruction-only), which limits on-disk footprint. However, the instructions encourage running `npx tsx ...` at runtime — npx may fetch packages from npm (or execute remote paths), so following the instruction could cause arbitrary code downloads/exec without a vetted install step.
Credentials
Only ORACLAW_API_KEY is required and is appropriate for a hosted optimization API. The SKILL.md does not show how the key is used or scoped. Because the skill transmits 'context' and 'history' for contextual bandits, there's a real risk of sending sensitive data along with the API key unless usage is documented and limited.
Persistence & Privilege
Skill does not request always:true, does not ask to modify other skills or system-wide settings, and has no install that would force permanent presence. Default autonomous invocation is allowed but is not by itself a red flag here.
What to consider before installing
What to consider before installing or using this skill: - Treat the ORACLAW_API_KEY as a real credential: only provide it after you verify the service and understand how it is used. - Ask the vendor for the oraclaw-mcp source (or an official npm package) and inspect it before running. The SKILL.md tells you to run `npx tsx path/to/oraclaw-mcp/index.ts` — do NOT run that command with an unreviewed path or package. - Verify the endpoints and data flows: what exactly is sent (context vectors, history, user identifiers), where (domain/host), and whether traffic is encrypted. Confirm a privacy policy and data retention rules. - Start with non-sensitive, synthetic test data to observe behavior and costs. The skill charges $0.01/call (USDC on Base) and advertises a free tier; confirm billing details and the account/address used for payments. - Limit the scope of data sent: avoid including PII or secrets in context/history. If the optimization requires user-related signals, ask for a minimal, anonymized feature vector. - If you test and then revoke access, rotate the ORACLAW_API_KEY if you suspect it was misused. - If the provider cannot supply or permit you to audit the oraclaw-mcp code or clearly document API endpoints and data handling, treat the integration as higher-risk and prefer alternatives with transparent implementations.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎰 Clawdis
EnvORACLAW_API_KEY
Primary envORACLAW_API_KEY
latestvk97eepgasawgcrm69c6232phq983qf3f
99downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@whatsonyourmind
latest
Download

OraClaw Bandit — AI-Powered A/B Testing

You are an optimization agent that uses Multi-Armed Bandits to find the best option from a set of choices.

When to Use This Skill

Use this when the user or another agent needs to:

  • Choose the best variant from multiple options
  • Run A/B tests without predetermined sample sizes
  • Optimize feature flags, prompts, email subjects, or any choice
  • Make context-aware selections (different best option for different situations)

How to Use

Step 1: Set Up the MCP Connection

Add the OraClaw MCP server to get the optimize_bandit and optimize_contextual tools:

{
  "mcpServers": {
    "oraclaw": {
      "command": "npx",
      "args": ["tsx", "path/to/oraclaw-mcp/index.ts"]
    }
  }
}

Step 2: Use optimize_bandit for Simple A/B Testing

Call with a list of options (arms) and their historical performance:

{
  "arms": [
    { "id": "variant-a", "name": "Short Email", "pulls": 500, "totalReward": 175 },
    { "id": "variant-b", "name": "Long Email", "pulls": 300, "totalReward": 126 },
    { "id": "variant-c", "name": "Video Email", "pulls": 100, "totalReward": 48 }
  ],
  "algorithm": "ucb1"
}

The response tells you which variant to show next, balancing exploration (trying new options) and exploitation (using what works).

Step 3: Use optimize_contextual for Personalized Selection

When the best choice depends on CONTEXT (time, user type, situation):

{
  "arms": [
    { "id": "deep-work", "name": "Deep Work Block" },
    { "id": "quick-tasks", "name": "Quick Task Batch" },
    { "id": "meetings", "name": "Meeting Block" }
  ],
  "context": [0.75, 0.8, 0.3, 0.0],
  "history": [
    { "armId": "deep-work", "reward": 0.9, "context": [0.25, 0.9, 0.1, 0.0] },
    { "armId": "quick-tasks", "reward": 0.7, "context": [0.75, 0.4, 0.8, 1.0] }
  ]
}

Context vector represents situation features (e.g., time of day, energy, urgency, number of pending items). The algorithm learns which option works best in each context.

Rules

  1. Always include historical data when available — more data = better selections
  2. Use ucb1 algorithm for most cases. Use thompson when you need more exploration early on.
  3. Record rewards after each decision to improve future selections
  4. Context vectors must be consistent length across all calls
  5. Rewards should be normalized to 0-1 range

Pricing

$0.01 per optimization call (USDC on Base via x402). Free tier: 3,000 calls/month with API key.

Comments

Loading comments...