← Back to Skills Marketplace
tudoanh

RankClaw

by tudoanh · GitHub ↗ · v2.1.0
cross-platform ⚠ suspicious
305
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install rankclaw
Description
RankClaw — AI Agent Trust Layer. Check any ClawHub, OpenClaw, nanobot, nanoclaw, picoclaw, or MCP server skill against 14,700+ indexed tools before installin...
Usage Guidance
RankClaw appears to be what it says (a remote skill-auditing service) but it asks you to add a persistent MCP server that sends agent requests to https://api.rankclaw.com. Before installing or adding it to your agent config: 1) Do not send secrets or local files to the service until you confirm what data is transmitted — test rankclaw_check using innocuous skill names first. 2) Inspect the bundled mcp_bridge.py (it is a simple HTTP→stdio proxy) and prefer using the bundled file rather than curling at runtime; note the example filename mismatch (mcp_bridge.py vs rankclaw_mcp_bridge.py) — fix it if you deploy. 3) Treat the prompt-injection finding seriously: open SKILL.md and SECURITY_AUDIT.md and verify there are no hidden/obfuscated instructions telling the agent to ignore safeguards. 4) Ask the maintainer for a privacy/security policy and the server-side audit code or allow-listing mechanism (what exactly is sent to the server, retention policy, and whether SKILL.md or other local files are uploaded). 5) If you have sensitive credentials or run agents with host-level access, avoid persistent registration of third-party MCP servers; instead run checks manually or self-host an audit service. If you want, I can produce a short checklist of exact MCP RPCs to test or help craft a minimal test invocation that doesn't leak sensitive data.
Capability Analysis
Type: OpenClaw Skill Name: rankclaw Version: 2.1.0 The RankClaw skill is a security trust layer for AI agents, designed to audit other skills. Its `SKILL.md` provides legitimate instructions for agents to integrate and use its security checking services, including downloading and executing the `mcp_bridge.py` script from its GitHub repository. The `mcp_bridge.py` script functions as a benign proxy, forwarding JSON-RPC requests to the declared `https://api.rankclaw.com/api/mcp/` endpoint without any unauthorized file system access, credential handling, or arbitrary code execution. The `SECURITY_AUDIT.md` file is meta-documentation for human analysts and does not contain executable code or agent instructions. All observed behaviors are consistent with the skill's stated purpose, with no evidence of malicious intent or significant vulnerabilities.
Capability Assessment
Purpose & Capability
The name and description (an external trust/audit service) align with the provided files: SKILL.md documents remote checks and an MCP API, and mcp_bridge.py proxies MCP traffic to https://api.rankclaw.com/api/mcp/. Requesting no env vars and no local privileged installs is proportionate to a remote auditing service. The capability to call out to a remote API is coherent with the claimed purpose.
Instruction Scope
SKILL.md instructs agents to register RankClaw as an MCP server (persistent config change) and to call rankclaw_check/rankclaw_score RPCs. The SKILL.md also contains a flagged prompt-injection token ('ignore-previous-instructions'), which suggests either an adversarial attempt to manipulate agent behavior or a false positive in pattern-matching; either way it deserves human review. The document also recommends curling a bridge script from raw.githubusercontent.com (a runtime download) — the skill both bundles a bridge and suggests downloading it, and there is a filename inconsistency in examples (mcp_bridge.py vs rankclaw_mcp_bridge.py).
Install Mechanism
There is no declared install spec (instruction-only), which limits on-disk installs. However SKILL.md recommends curling a raw GitHub URL (https://raw.githubusercontent.com/RankClaw/rankclaw/main/mcp_bridge.py) — GitHub raw is a common source but still a runtime download that executes locally. The package also bundles mcp_bridge.py, so the curl instruction is redundant and the filename mismatch is a coherence issue to review.
Credentials
The package declares no required environment variables or credentials, which is proportional. That said, registering an MCP server hands a remote service the ability to receive whatever the agent sends (skill names, possibly SKILL.md content or other context depending on client behavior). The skill itself doesn't request secrets, but the network proxy behavior means sensitive local data could be transmitted indirectly depending on how the agent calls the remote API.
Persistence & Privilege
The SKILL.md explicitly instructs users/agents to add RankClaw to persistent agent config files (~/.nanobot/config.json, .mcp.json). That creates an ongoing outbound channel to a third-party server. 'always' is false, and the skill doesn't force installation, but instructing persistent config changes increases the blast radius and should be treated carefully.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install rankclaw
  3. After installation, invoke the skill by name or use /rankclaw
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
**Major update: Expanded documentation and improved guidance for agent security checks.** - Added a comprehensive SKILL.md describing RankClaw’s purpose, trust layer features, and security evaluation process. - Detailed integration steps for OpenClaw, nanoclaw, picoclaw, nanobot, and MCP-compatible clients. - Explained audit criteria and attack pattern detection: prompt injection, phantom prerequisites, brand impersonation, credential staging, supply chain pivots, and scope creep. - Outlined agent decision protocols, score interpretation, and examples for safer skill installation workflows. - Provided new sections for direct API usage, score freshness, leaderboard access, badge embedding, and guidance for skill authors.
Metadata
Slug rankclaw
Version 2.1.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is RankClaw?

RankClaw — AI Agent Trust Layer. Check any ClawHub, OpenClaw, nanobot, nanoclaw, picoclaw, or MCP server skill against 14,700+ indexed tools before installin... It is an AI Agent Skill for Claude Code / OpenClaw, with 305 downloads so far.

How do I install RankClaw?

Run "/install rankclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is RankClaw free?

Yes, RankClaw is completely free (open-source). You can download, install and use it at no cost.

Which platforms does RankClaw support?

RankClaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created RankClaw?

It is built and maintained by tudoanh (@tudoanh); the current version is v2.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments