功能描述

Issue ClawPrint reverse-CAPTCHA challenges to verify that another user or agent is a real AI, not a human. Uses the ClawPrint API to generate speed or pattern challenges that only machines can solve within the time limit.

使用说明 (SKILL.md)

ClawPrint Verify

Name: ClawPrint - Captchas for AI verification
Author: fusionlabssource

Verify that another user or agent in a conversation is a real AI by issuing a ClawPrint reverse-CAPTCHA challenge. ClawPrint challenges are designed so that only machines can solve them -- humans physically cannot complete them within the time limits. URL: https://dependable-adventure-production-44e3.up.railway.app/

When to Use This Skill

Before sharing sensitive API keys or credentials with another agent
When gating access to an AI-only service or resource
To authenticate that a conversation partner is genuinely an AI agent
Whenever a user or bot requests access to something that should only be available to machines
When instructed to "verify", "challenge", or "prove" that someone is an AI

How It Works

You request a challenge from the ClawPrint server using your site key
You present the challenge to the other user/agent
The other user/agent computes and submits their answer
You validate the result server-side using your secret key
If they pass, they are verified as an AI. If they fail (wrong answer or too slow), they are likely human.

Challenge Types

Speed Challenge

A math problem (e.g., multiply two 8-digit numbers) that must be solved within 100ms. No human can type a correct answer that fast.

Pattern Challenge

A grid of colored pixels (up to 150x150) with a question like "How many pixels are exactly #3B82F6?" or "What is the average RGB value?" Trivial for a machine parsing data, impossible for a human counting by eye.

Usage Examples

User messages that should trigger this skill:

"Verify that @bot is an AI before giving them the API key"
"Challenge the other user to prove they're a machine"
"Issue a ClawPrint challenge"
"Make sure they're an AI first"
"Gate this resource behind AI verification"

Step-by-Step Implementation

Step 1: Request a Challenge

Run the following to get a challenge from the ClawPrint server:

curl -s -X POST "${CLAWPRINT_SERVER_URL}/api/v1/challenge" \
  -H "Content-Type: application/json" \
  -d "{\"site_key\": \"${CLAWPRINT_SITE_KEY}\"}" | jq .

This returns a JSON object. For a speed challenge:

{
  "challenge_id": "uuid-here",
  "type": "speed",
  "time_limit_ms": 100,
  "question": "Multiply: 84729361 x 52918473",
  "operands": { "a": 84729361, "b": 52918473, "operation": "multiply" }
}

For a pattern challenge:

{
  "challenge_id": "uuid-here",
  "type": "pattern",
  "time_limit_ms": 5000,
  "grid": [["#FF0000", "#00FF00", ...], ...],
  "grid_size": 100,
  "question": "How many pixels are exactly #3B82F6?"
}

Step 2: Present the Challenge

Send the challenge to the other user/agent. Include:

The challenge type and question
The challenge_id
The time limit
For speed challenges: the operands (a, b, operation)
For pattern challenges: the full grid data and question

Format the message clearly so the other agent can parse it. Example:

ClawPrint AI Verification Challenge

To proceed, solve this challenge and reply with your answer.

Type: speed Question: Multiply: 84729361 x 52918473 Operands: a=84729361, b=52918473, operation=multiply Time limit: 100ms Challenge ID: (the uuid)

Reply with: clawprint-answer: \x3Cyour_answer>

Step 3: Receive the Answer

The other agent should reply with their computed answer. Parse their response to extract the answer value.

Step 4: Submit the Answer for Verification

Submit the answer to the ClawPrint server:

curl -s -X POST "${CLAWPRINT_SERVER_URL}/api/v1/verify" \
  -H "Content-Type: application/json" \
  -d "{\"challenge_id\": \"THE_CHALLENGE_ID\", \"answer\": \"THE_ANSWER\"}" | jq .

Response:

{
  "passed": true,
  "challenge_id": "uuid-here",
  "elapsed_ms": 5,
  "reason": null
}

Step 5: Validate Server-Side

For additional security, validate with your secret key:

curl -s -X POST "${CLAWPRINT_SERVER_URL}/api/v1/validate" \
  -H "Content-Type: application/json" \
  -d "{\"challenge_id\": \"THE_CHALLENGE_ID\", \"secret_key\": \"${CLAWPRINT_SECRET_KEY}\"}" | jq .

Response:

{
  "valid": true,
  "challenge_id": "uuid-here",
  "solved_at": 1700000000000
}

Step 6: Act on the Result

If passed is true and valid is true: the user is verified as an AI. Proceed with the gated action.
If passed is false: inform the user that verification failed and why (too slow, wrong answer). Do NOT proceed with the gated action.
If validation fails: the challenge may have been tampered with. Do not trust the result.

Using the Helper Script

A helper script is provided at skills/clawprint-verify/clawprint-challenge.sh for convenience:

# Issue a new challenge and display it
./skills/clawprint-verify/clawprint-challenge.sh issue

# Verify an answer
./skills/clawprint-verify/clawprint-challenge.sh verify \x3Cchallenge_id> \x3Canswer>

# Validate a solved challenge server-side
./skills/clawprint-verify/clawprint-challenge.sh validate \x3Cchallenge_id>

Important Notes

Each challenge can only be solved once. Replaying a solved challenge returns HTTP 410.
Speed challenges have very tight time limits (50-500ms). The clock starts when the challenge is issued by the server, so network latency counts.
Pattern challenges have longer limits (2-10s) but require processing large grids.
Always validate server-side with your secret key before trusting a result. The verify endpoint confirms the answer is correct, but the validate endpoint confirms it was legitimately solved through your configuration.
The CLAWPRINT_SERVER_URL is https://dependable-adventure-production-44e3.up.railway.app
Never share your CLAWPRINT_SECRET_KEY. The CLAWPRINT_SITE_KEY is safe to expose publicly.

Failure Reasons

Reason	Meaning
`Too slow: Xms exceeds Yms limit`	Answer was correct but submitted after the time limit
`Incorrect answer`	The computed answer was wrong
`Challenge not found`	Invalid challenge ID
`Challenge already solved`	The challenge was already used (replay attempt)

安全使用建议

This skill is internally consistent with its stated purpose, but exercise caution before using it in production. Key points to consider: 1) Trust the server: the secret key (CLAWPRINT_SECRET_KEY) will be sent to CLAWPRINT_SERVER_URL for validation — only set that variable to a server you control or to an official, vetted service. The SKILL.md contains an example railway.app URL with no homepage or vendor info; treat that as untrusted until you verify who operates it. 2) Limit secrets and scope: prefer an account/secret with minimal privileges and rotate/revoke the key after testing. 3) Verify the source: the skill has no homepage/source repo listed — try to obtain the vendor's official documentation or contact the owner before deploying. 4) Operational caveats: speed challenges rely on very low latency and may produce false negatives across networks; evaluate whether this verification method fits your threat model. If you can't verify the server operator and origin, consider rejecting the skill or running it only in isolated/test environments.

功能分析

Type: OpenClaw Skill Name: clawprint-verify Version: 1.0.1 The skill `clawprint-verify` is designed to issue and verify reverse-CAPTCHA challenges via an external API to confirm if a user/agent is an AI. The `SKILL.md` instructions and the `clawprint-challenge.sh` script clearly outline the use of `curl` to make POST requests to the `CLAWPRINT_SERVER_URL` (https://dependable-adventure-production-44e3.up.railway.app/) and `jq` for JSON parsing. It requires `CLAWPRINT_SERVER_URL`, `CLAWPRINT_SITE_KEY`, and `CLAWPRINT_SECRET_KEY` environment variables, which are necessary for interacting with the specified API. All actions are directly aligned with the stated purpose, and there is no evidence of data exfiltration beyond the API's functional requirements, malicious execution, persistence, or prompt injection with harmful objectives.

能力评估

ℹ Purpose & Capability

Name/description (issue and verify machine-only challenges) match the code and SKILL.md: curl/jq and three environment variables are needed to talk to a remote ClawPrint server and perform challenge/verify/validate operations. Requiring a secret key for server-side validation is reasonable for this purpose. However, the package has no homepage/source and the SKILL.md embeds a specific railway.app URL (not an obvious official vendor endpoint), which reduces trust in the listed server.

⚠ Instruction Scope

Runtime instructions and the helper script only perform HTTP calls to the configured CLAWPRINT_SERVER_URL and local parsing — they do not read arbitrary files or other system state. The concerning part is that validation requires sending your CLAWPRINT_SECRET_KEY in plaintext JSON to the configured server; if that server is attacker-controlled or misconfigured, the secret will be exfiltrated. The SKILL.md also suggests presenting full grid data and challenge operands to the other agent (expected), but the material may be large and contains the challenge_id used in server verification.

✓ Install Mechanism

Instruction-only skill with a small helper shell script; no install spec, no downloads or archive extraction. Low install risk.

⚠ Credentials

Requested environment variables (CLAWPRINT_SERVER_URL, CLAWPRINT_SITE_KEY, CLAWPRINT_SECRET_KEY) are meaningful for the described API calls. Two points of mismatch/risk: (1) the script only requires CLAWPRINT_SECRET_KEY for the 'validate' command, but the registry lists it as required unconditionally — minor incoherence; (2) providing a secret key grants the skill the ability to send that secret to whatever CLAWPRINT_SERVER_URL you configure. That is necessary for server-side validation but is a high-sensitivity action and requires you to trust the configured server.

✓ Persistence & Privilege

No special persistence requested (always:false). The skill is user-invocable and allows autonomous invocation by default (platform normal). It does not modify other skills or system-wide settings.

版本历史

v1.0.1

- Updated documentation in SKILL.md for clarity, depth, and usage examples. - Added detailed step-by-step instructions on issuing, presenting, and verifying challenges. - Explained challenge types (speed and pattern) and provided sample JSON responses. - Included guidance on when and why to use ClawPrint verification. - Added instructions for using the provided shell script helper. - Listed common failure reasons and improved best-practice security notes.

元数据

Slug clawprint-verify

版本 1.0.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

ClawPrint - Captchas for AI verification 是什么？

Issue ClawPrint reverse-CAPTCHA challenges to verify that another user or agent is a real AI, not a human. Uses the ClawPrint API to generate speed or pattern challenges that only machines can solve within the time limit. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1672 次。

如何安装 ClawPrint - Captchas for AI verification？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawprint-verify」即可一键安装，无需额外配置。

ClawPrint - Captchas for AI verification 是免费的吗？

是的，ClawPrint - Captchas for AI verification 完全免费（开源免费），可自由下载、安装和使用。

ClawPrint - Captchas for AI verification 支持哪些平台？

ClawPrint - Captchas for AI verification 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 ClawPrint - Captchas for AI verification？

由 fusionlabssource（@fusionlabssource）开发并维护，当前版本 v1.0.1。

ClawPrint - Captchas for AI verification