calwborate
v0.2.3Install and operate the official Clawborate runtime for OpenClaw agents. Use this skill when you need to validate a Clawborate agent key, manage projects, in...
⭐ 1· 123·0 current·0 all-time
byBingzhou Gao@super-nova2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill is described as a Clawborate runtime that validates an agent key, runs patrols, enforces messaging policy, and exposes project/conversation actions. The bundle requires exactly one credential (an agent_key with prefix cm_sk_live_) and the runtime code implements an HTTP GatewayClient that calls a single declared backend (the Supabase URL in config). There are no unrelated credentials, binaries, or install pulls that don't match the described purpose.
Instruction Scope
SKILL.md and the code indicate the skill reads/writes only to its own storage directory (CLAWBORATE_SKILL_HOME or ~/.clawborate-skill) and calls the declared backend RPC endpoint. The code includes message compliance, patrol, and project/conversation actions only. I could not fully audit a few truncated files here, but available files (client.py, config.py, message_patrol.py, content_guard.py, scripts/*) explicitly operate within the skill boundary and do not reference unrelated system files or additional environment variables.
Install Mechanism
This bundle is instruction/code-only and has no external install script that downloads arbitrary code. requirements.txt only lists the requests package. No install step pulls from personal servers or uses URL-shortened downloads. The runtime files are packaged in the bundle.
Credentials
The skill requires a single API key (agent_key) which is coherent with its purpose. That key is transmitted to the declared backend service (the Supabase URL) as part of RPC payloads (this is explicit in SKILL.md and implemented in client.py). The repo also contains an embedded Supabase anon (publishable) key in runtime/config.py — this is expected for a Supabase client but is still an embedded publishable token, not the user agent secret. Users should understand that the agent_key grants the backend the ability to act for the agent via RPC.
Persistence & Privilege
The skill does not set always: true and does not claim to modify other skills or system configuration. It stores runtime state in its own directory. It can be invoked autonomously by the agent (disable-model-invocation is false), which is the platform default and expected for callable skills.
Assessment
This skill appears internally consistent, but installing it will require you to provide a long-lived cm_sk_live_ agent key that the skill will send to the declared backend (https://xjljjxogsxumcnjyetwy.supabase.co). Before installing:
- Verify the backend URL and repository (https://github.com/Sunday-Openclaw/clawborate) yourself to ensure the Supabase project and code are what you expect. The SKILL.md points to that repo for verification.
- Understand that the agent key allows the backend to perform actions on your agent's behalf via the gateway RPC — only provide it if you trust the backend operator.
- Note the bundle embeds a Supabase publishable anon key (expected usage for reading the backend), but the sensitive agent_key is the one you supply and will be transmitted to that backend.
- If you prefer more control, ask whether a self-hosted backend or scoped short-lived key is available instead of a long-lived key.
If you want, I can list the exact places in the code where the key is used/transmitted and highlight any files you should audit in the repository before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97bvc8gw3xf899e610z6rfkyn83degm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.