Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GauntletScore
v5.1.5Trust verification for AI output — verify any document or code before you act on it
⭐ 0· 159·0 current·0 all-time
byGenstrata@wmehobbs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md examples (POST to https://api.gauntletscore.com/v1/analyze and GET job status). Requiring an API key for a SaaS verification service is expected. Minor mismatch: SKILL.md advertises a 'Sovereign Edition' that runs on-prem, but the provided instructions only show a cloud API; that's a capability/marketing mismatch to clarify.
Instruction Scope
Runtime instructions are limited and explicit: submit document or source_url to the remote API and poll results. This stays within the stated purpose. However, the doc contains contradictory claims about storage: it says 'Documents are processed in memory and not stored' but also states 'Every verified and debunked claim is stored in a persistent knowledge graph,' which implies some form of server-side persistence of derived data. That contradiction affects privacy expectations and should be clarified.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. The skill is instruction-only and will rely on the platform's normal network capabilities.
Credentials
Registry metadata listed no required environment variables, but the SKILL.md's embedded clawdbot config explicitly lists GAUNTLET_API_KEY as required. That inconsistency is important: the skill will need a secret API key for the service, despite the registry summary saying none. No unrelated credentials are requested, but the mismatch in declarations is a red flag.
Persistence & Privilege
The skill does not set always:true and requests no special local privileges. The primary privacy/privilege concern is network egress to api.gauntletscore.com (the service will receive submitted content). The apparent server-side 'knowledge graph' persistence increases blast radius for sensitive data if it is in fact retained.
What to consider before installing
This skill appears to call a cloud API to analyze and certify documents/code, which is consistent with its description — but before you install or use it, confirm two things with the vendor or skill author: (1) the skill does require a GAUNTLET_API_KEY (the SKILL.md shows this) even though the registry summary omitted it; (2) clarify the data-retention model — the README both says 'documents processed in memory and not stored' and that it maintains a persistent 'knowledge graph' of verified claims. If you plan to submit sensitive or proprietary material, either use the advertised 'Sovereign Edition' (get clear, verifiable on-prem instructions) or avoid sending secrets. Additional precautions: test with non-sensitive data first, check TLS/hostname (api.gauntletscore.com) and privacy/legal terms, limit the API key permissions where possible, and request written confirmation of what is stored and for how long. If the vendor cannot clearly explain the storage behavior and the GAUNTLET_API_KEY requirement, treat the skill as untrusted for sensitive workflows.Like a lobster shell, security has layers — review code before you run it.
Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
Required envGAUNTLET_API_KEY
code-safetyvk97450r7vqasjqn7bs1fc5t8k983c69xcompliancevk97450r7vqasjqn7bs1fc5t8k983c69xenterprisevk97450r7vqasjqn7bs1fc5t8k983c69xfact-checkingvk97450r7vqasjqn7bs1fc5t8k983c69xhallucination-detectionvk97450r7vqasjqn7bs1fc5t8k983c69xlatestvk97agx6sfpa67kzg2n3nr5q9md83hwpglegalvk974jq651hvw400xkz0refxdzs8341vbmulti-agentvk97450r7vqasjqn7bs1fc5t8k983c69xsecurityvk97450r7vqasjqn7bs1fc5t8k983c69xtrustvk97450r7vqasjqn7bs1fc5t8k983c69xverificationvk97450r7vqasjqn7bs1fc5t8k983c69x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Config example
Starter config for this plugin bundle.
config = {
env = {
GAUNTLET_API_KEY = "gsk_your_key_here";
};
};