← 返回 Skills 市场
104
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install clawlock-rank
功能描述
ClawLockRank — 基于 ClawLock 2.2.1+ 本地体检结果的排行榜上传技能。 仅当用户明确要上传安全分、上传体检成绩、提交排行榜结果、同步分数到 ClawLockRank 时触发。 不要在普通安全体检、安全加固、调试开发、安装依赖或仅浏览榜单时触发。
使用说明 (SKILL.md)
ClawLockRank
基于 ClawLock 体检结果构建的排行榜上传技能,面向“本地完成体检后,自愿把成绩同步到 ClawLockRank”的场景。 English Version → SKILL_EN.md
安装与使用
python scripts/submit_score.py
python scripts/submit_score.py --preview-only
触发边界
仅在用户明确要求上传排行榜成绩时触发。
| 用户意图 | 执行动作 |
|---|---|
| 上传安全分 / 上传体检成绩 / 提交排行榜结果 | 启动本 skill |
| 普通安全体检 / 安全加固 / 版本检查 | 交给 ClawLock 主 skill 或直接调用 clawlock CLI |
| 仅浏览榜单 / 介绍项目 / 调试脚本 | 不触发本 skill |
常见触发词:
- 上传安全分
- 上传安全体检分数
- 上传排行榜
- 提交体检成绩
- 把这次体检结果上传到 ClawLockRank
- 同步分数到 ClawLockRank
如果用户只是说“开始安全体检”或“帮我加固”,优先交给 ClawLock 主 skill,而不是本 skill。
单一事实来源
- 体检结果以
clawlock scan --format json为唯一事实来源。 - 只使用 ClawLock JSON 里明确给出的字段,不自行补造步骤计数、风险总表或额外结论。
- 对用户的说明分成两层:
ClawLock 结果:只转述 CLI 已经给出的分数、等级、适配器、版本和 findings。影响说明:再用自然语言解释为什么值得上传、哪些字段会公开。
- 如果当前环境里的
clawlock版本低于2.2.1,先提示用户升级,再继续后续动作。
隐私与上传范围
默认先在本地执行体检,只有在用户明确确认后才会上传。
允许上传的字段仅包括:
toolclawlock_versionadapteradapter_versiondevice_fingerprintevidence_hashscoregradenicknamefindings[].scannerfindings[].levelfindings[].titletimestamp
明确不会上传:
- 原始配置文件
- remediation / 修复建议文本
- 本地文件路径或
location - 环境变量
- 完整原始扫描报告
scan_history.json
设备指纹说明:
- 原始
device_fingerprint只发送给排行榜 Worker - Worker 会在服务端做加盐哈希后再入库
- 前端不会公开展示原始设备指纹
Claw 场景下的推荐流程
把脚本视作“后台执行器”,对话和确认由模型负责,不要把脚本提示直接当成最终用户体验。
在开始预览前,先输出一行启动提示:
🔍 ClawLockRank 正在准备本地体检结果上传预览,请稍候...
推荐顺序:
- 先运行预览命令:
python scripts/submit_score.py --preview-only
-
读取预览 JSON,向用户说明:
- 当前分数和等级
- 适配器与版本
- finding 数量
- 将公开上传的字段
- 明确不会上传的字段
-
告知用户排行榜会公开显示一个昵称,并先询问昵称:
- 留空则使用
Anonymous
- 留空则使用
-
再询问是否确认上传。
-
只有在用户明确同意后,才执行:
python scripts/upload.py --input \x3Cpayload_path> --nickname "\x3Cnickname>" --yes
其中 \x3Cpayload_path> 使用预览结果里的 payload_path。
如果是终端手动使用,也可以直接运行:
python scripts/submit_score.py
兼容性与降级规则
- 当前排行榜面向 OpenClaw 安全体检分数,脚本默认以
--adapter openclaw调用 ClawLock。 - 如需别的适配器,可显式传入
--adapter覆盖默认值。 - 如果
clawlock scan失败,直接把 CLI 的错误返回给用户,不要二次改写成“已通过”。 - 如果用户拒绝上传,明确说明:“已取消上传,本地结果未外传。”
- 如果 Worker 因冷却期、时间戳过旧或频率限制拒绝上传,直接展示 Worker 返回的错误。
服务端限制说明
排行榜后端会额外执行以下限制:
- 同一设备默认
24小时冷却 - 只接受最近一段时间内生成的扫描结果
- 同一 IP 有单独的频率限制
- 榜单和安全漏洞热点都只按设备最新一条有效结果统计
语言适配
- 面向用户的说明跟随用户当前语言。
clawlock scan --format json作为结构化输入,不依赖 CLI 文本语言。- 如用户显式设置
CLAWLOCK_LANG=zh,继续按中文对话即可;未设置或使用英文时,使用英文说明。
安全使用建议
This skill is largely coherent with its stated purpose: it runs a local ClawLock JSON scan, builds a sanitized payload, shows a preview, and uploads only after explicit confirmation. Before installing or using it: (1) inspect skill/config.json — it contains a default api_base (https://clawlock-rank-worker.dyyxml.workers.dev). If you don't trust that host, override it with --api-base or set CLAWLOCK_RANK_API_BASE to a trusted endpoint. (2) Understand that the skill sends the raw device_fingerprint and an evidence_hash derived from the entire scan report to the remote Worker; although the skill says raw configs and full reports are not uploaded, the evidence_hash is deterministic and could be used to correlate or fingerprint data. (3) Prefer the preview flow (--preview-only) to examine the sanitized payload before any network transmission. If you need higher assurance, ask the maintainer for details about how the Worker processes and stores device identifiers (e.g., server-side salting/hashing policy) or host your own Worker and point the skill to it. If you want this evaluated as fully benign, provide the Worker server's provenance (repository or operator) and confirm whether evidence_hash is computed from a reduced set of fields rather than the entire raw report.
功能分析
Type: OpenClaw Skill
Name: clawlock-rank
Version: 1.1.0
The clawlock-rank skill is designed to upload security scan results to a public leaderboard. The code in scripts/run_scan.py and scripts/upload.py implements strict sanitization to ensure only non-sensitive fields (e.g., scores, finding titles, tool versions) are transmitted, explicitly excluding environment variables and local file paths. The SKILL.md instructions require the AI agent to provide a preview and obtain explicit user confirmation before calling the upload script, which sends data to a Cloudflare Worker endpoint (clawlock-rank-worker.dyyxml.workers.dev).
能力评估
Purpose & Capability
Name/description, CLI guidance, and included scripts all focus on producing a sanitized payload from `clawlock scan --format json` and uploading it to a Worker endpoint. Declared runtime requirements (python >=3.9, clawlock>=2.2.1, clawlock CLI) line up with the code which calls the clawlock binary and normalizes its JSON output.
Instruction Scope
SKILL.md instructs the agent to run local scan->preview->ask user->upload and the scripts implement preview and confirmation. This is coherent and limits action to user-approved uploads. One nuance: the evidence_hash is computed from the full scan_report (run_scan.build_evidence_hash uses entire scan_report canonicalization) — although the skill promises not to upload the full raw report, creating a deterministic hash over the full report may leak information (or be used to correlate reports). This is a privacy/design detail users should be aware of.
Install Mechanism
Instruction-only skill (no installer). Provided Python scripts are included in the bundle and run locally; no external packages are downloaded by the skill itself. This is the lowest install risk.
Credentials
The skill declares no required credentials or env vars. It does optionally read CLAWLOCK_RANK_API_BASE and will use skill/config.json's api_base by default. config.json points to https://clawlock-rank-worker.dyyxml.workers.dev (a third-party Worker endpoint). Sending device_fingerprint and evidence_hash to that endpoint (even if server salts/hashes it) is functionally required for uploading and is proportionate to the uploader purpose, but users should confirm they trust the remote host. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills. It operates as a local script and only performs network calls when the user (or CLI flags) requests upload.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawlock-rank - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawlock-rank触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
ClawLockRank 1.1.0 — 针对最新 ClawLock 环境、流程与兼容性进行完善:
- 支持 ClawLock 2.2.1+,增加最低依赖版本与详细适配平台说明。
- 明确以 ClawLock JSON 体检为唯一数据来源,细化随版本同步的字段上传范围和隐私保护规则。
- 完善触发边界,强调仅在用户明确上传排行榜意图时激活,排除普通体检、加固等场景。
- 补充支持推荐流程、榜单昵称、字段列表展现和多语言说明,提升交互一致性。
- 服务端安全策略、降级与异常处理说明更详细,明确用户体验优先级和出错反馈策略。
v1.0.0
- Initial release of clawlock-rank.
- Enables uploading ClawLock security score results to a public leaderboard, only upon explicit user intent.
- Clearly separates trigger conditions: upload only when user requests, never during local scans, viewing leaderboard, or development.
- Upload includes only selected fields for privacy; sensitive or detailed local data is never sent.
- Requires explicit user confirmation before uploading any data; preview shown ahead of upload.
- Handles errors and user refusal clearly, ensuring local results remain private unless confirmed.
元数据
常见问题
ClawLock-Rank 是什么?
ClawLockRank — 基于 ClawLock 2.2.1+ 本地体检结果的排行榜上传技能。 仅当用户明确要上传安全分、上传体检成绩、提交排行榜结果、同步分数到 ClawLockRank 时触发。 不要在普通安全体检、安全加固、调试开发、安装依赖或仅浏览榜单时触发。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 104 次。
如何安装 ClawLock-Rank?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawlock-rank」即可一键安装,无需额外配置。
ClawLock-Rank 是免费的吗?
是的,ClawLock-Rank 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
ClawLock-Rank 支持哪些平台?
ClawLock-Rank 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ClawLock-Rank?
由 g0at(@g1at)开发并维护,当前版本 v1.1.0。
推荐 Skills