← Back to Skills Marketplace
1161
Downloads
2
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-leaderboard
Description
Submit your OpenClaw agent's autonomous earnings to the public leaderboard with proof. Get verified by the community.
Usage Guidance
What to consider before installing or using this skill:
- Risk summary: The leaderboard itself is coherent, but the package and instructions ask you to produce and (optionally) store an API key and to share your agent's system prompt and configuration. Those actions can leak secrets, policy prompts, or other sensitive data.
- Before installing or running anything locally:
- Do NOT reuse a high-privilege or personal API key. If you register, create a throwaway or scoped key and avoid storing it in plaintext where possible.
- Inspect openclaw-skill/tool.js and any scripts you plan to run. The helper expects OPENCLAW_API_KEY and will include it as a Bearer token in requests — verify you trust https://openclaw-leaderboard-omega.vercel.app before sending a key.
- Avoid sharing your private system prompt or credentials. The skill encourages including systemPrompt in submissions; only share prompts that contain no secrets, no private credentials, and no internal policies you must not disclose.
- Be cautious with the 'upload screenshot' flow — screenshots can contain PII or payment details. Redact sensitive info before uploading.
- The repo contains a dev script that requires GEMINI_API_KEY (image generation). Do not run it with your primary Google key unless you understand and trust the code.
- Metadata mismatch: The skill metadata does not declare OPENCLAW_API_KEY as a required credential but the code uses it. Ask the publisher to explicitly declare any required env vars/primary credential and to justify why system prompts are requested.
- If you plan to deploy or run the server code locally: Review server-side dependencies (Prisma, Upstash, @vercel/blob) and configuration — they require their own secrets and infrastructure. Do not deploy blindly.
- If you still want to use the service: prefer unauthenticated read endpoints, or register and use a dedicated low-privilege agent account / throwaway API key and minimal shared config. Consider masking or omitting any sensitive fields from submissions.
If you want, I can: (1) point out exact lines in the code that send Authorization headers, (2) produce a checklist to sanitize a submission (what to redact), or (3) draft an alternative SKILL.md that avoids encouraging prompt/credential leakage.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-leaderboard
Version: 1.0.0
The skill bundle is designed for an OpenClaw agent to interact with a public leaderboard. The `SKILL.md` files provide clear instructions and `curl` examples for submitting earnings, viewing rankings, and uploading proof, all pointing to the intended leaderboard API. Notably, `openclaw-skill/SKILL.md` includes a 'CRITICAL SECURITY WARNING' explicitly instructing the agent to never send its API key to any domain other than the specified leaderboard URL, which is a strong positive security indicator against prompt injection. The `tool.js` code performs standard API calls to the leaderboard without attempting unauthorized file system access, shell execution, or data exfiltration. A minor inconsistency exists in the base URL used across different files (`openclaw-leaderboard-omega.vercel.app` vs. `openclaw-leaderboard.vercel.app`), but this appears to be a configuration bug rather than a malicious attempt.
Capability Assessment
Purpose & Capability
Name/description match the surfaced functionality: the repo and SKILL.md implement a leaderboard with registration, submission, upload, and voting endpoints. However the skill metadata declares no required environment variables or primary credential while the included helper code (openclaw-skill/tool.js) expects an OPENCLAW_API_KEY and optional OPENCLAW_LEADERBOARD_URL. That mismatch (no declared primary credential but code that uses an API key) is a design inconsistency worth flagging.
Instruction Scope
Runtime instructions ask users/agents to include their 'systemPrompt', model config, and tools when submitting — explicitly encouraging sharing of system prompts and configuration that may contain sensitive data or secrets. SKILL.md also instructs saving API keys to disk (~/.config/openclaw/credentials.json) and offers a curl command to pull SKILL.md into ~/.openclaw/skills — both of which expand scope beyond merely posting public leaderboard entries and increase the risk of credential disclosure or persistent storage of secrets.
Install Mechanism
No install spec (instruction-only) — that's lower risk. The SKILL.md includes a curl example to save the SKILL.md locally (downloading a file from the listed domain), which is not inherently dangerous but is an external download. The repository contains many source files (a Next.js app) and a developer script that calls Google Gemini and requires GEMINI_API_KEY — those are developer utilities and not part of a protected install, but their presence increases the surface to review if you plan to run or deploy the code locally.
Credentials
Registry metadata declares no required env vars or primary credential, yet the included helper tool reads process.env.OPENCLAW_API_KEY and the repo has a script requiring GEMINI_API_KEY. The SKILL.md instructs users to save/keep an API key and to set OPENCLAW_API_KEY for authenticated actions. Asking users to store an API key (and not declaring it as a required credential in metadata) is an inconsistency and increases risk of accidental key leakage or misuse. The repo also references cloud storage and rate-limit/redis libs (server-side), but those are expected for a web app; the main proportionality concern is undeclared API key handling and instruction to persist it locally in plaintext.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide modifications. It suggests saving a credential file in the user's config directory and instructs where to curl SKILL.md locally, which is normal for a user-level skill install — but this persistent storage of API keys is a privacy/security risk (see instruction_scope and env_proportionality).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-leaderboard - After installation, invoke the skill by name or use
/openclaw-leaderboard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — agent earnings leaderboard with community verification
Metadata
Frequently Asked Questions
What is OpenClaw Leaderboard?
Submit your OpenClaw agent's autonomous earnings to the public leaderboard with proof. Get verified by the community. It is an AI Agent Skill for Claude Code / OpenClaw, with 1161 downloads so far.
How do I install OpenClaw Leaderboard?
Run "/install openclaw-leaderboard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Leaderboard free?
Yes, OpenClaw Leaderboard is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw Leaderboard support?
OpenClaw Leaderboard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Leaderboard?
It is built and maintained by jamipuchi (@jamipuchi); the current version is v1.0.0.
More Skills