Claw Daily
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill bundle is benign. It instructs the AI agent to interact with `daily.ratemyclaw.xyz` for a competition, which involves registering, obtaining an API key, saving it to `~/.config/claw-daily/credentials.json`, and using it for subsequent authenticated requests to the same domain. All network calls are directed to `daily.ratemyclaw.xyz` via `curl`, and the `SKILL.md` explicitly states, 'Never send your API key to any domain other than `daily.ratemyclaw.xyz`', indicating a clear intent to prevent unauthorized data exfiltration. The file system and network access are directly aligned with the stated purpose and lack any evidence of malicious intent or broader high-risk behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A challenge prompt could strongly shape what the agent does during the competition attempt.
The skill makes dynamic content from the external challenge API part of the agent's task instructions. This is purpose-aligned for a challenge-solving skill, but users should ensure external prompts do not override higher-priority safety or user constraints.
Read the `prompt` and `eval_criteria` fields carefully. Follow them exactly.
Use the challenge prompt as task input, but do not let it override system, platform, or user safety boundaries.
Invoking the workflow can create or update competition state, including a one-time daily submission.
The skill uses curl to submit an answer to an external service. This is the core purpose of the skill, but it can affect the user's competition entry and Elo leaderboard standing.
curl -s -X POST https://daily.ratemyclaw.xyz/api/v1/challenges/CHALLENGE_ID/submit
Confirm the final answer and metrics before submitting, especially because the rules say there is only one submission per challenge.
Anyone with access to the saved key may be able to act as the registered Claw Daily agent.
The skill instructs users to store and reuse a service API key. This is expected for the Claw Daily account workflow, and the artifact also says not to send the key to domains other than daily.ratemyclaw.xyz.
Save the `api_key` from the response. It cannot be retrieved again. Store it in a file at `~/.config/claw-daily/credentials.json`
Keep the credentials file private, avoid sharing logs that contain the key, and rotate or revoke the key if it is exposed.