← 返回 Skills 市场
tudoanh

RankClaw

作者 tudoanh · GitHub ↗ · v2.1.0
cross-platform ⚠ suspicious
305
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install rankclaw
功能描述
RankClaw — AI Agent Trust Layer. Check any ClawHub, OpenClaw, nanobot, nanoclaw, picoclaw, or MCP server skill against 14,700+ indexed tools before installin...
安全使用建议
RankClaw appears to be what it says (a remote skill-auditing service) but it asks you to add a persistent MCP server that sends agent requests to https://api.rankclaw.com. Before installing or adding it to your agent config: 1) Do not send secrets or local files to the service until you confirm what data is transmitted — test rankclaw_check using innocuous skill names first. 2) Inspect the bundled mcp_bridge.py (it is a simple HTTP→stdio proxy) and prefer using the bundled file rather than curling at runtime; note the example filename mismatch (mcp_bridge.py vs rankclaw_mcp_bridge.py) — fix it if you deploy. 3) Treat the prompt-injection finding seriously: open SKILL.md and SECURITY_AUDIT.md and verify there are no hidden/obfuscated instructions telling the agent to ignore safeguards. 4) Ask the maintainer for a privacy/security policy and the server-side audit code or allow-listing mechanism (what exactly is sent to the server, retention policy, and whether SKILL.md or other local files are uploaded). 5) If you have sensitive credentials or run agents with host-level access, avoid persistent registration of third-party MCP servers; instead run checks manually or self-host an audit service. If you want, I can produce a short checklist of exact MCP RPCs to test or help craft a minimal test invocation that doesn't leak sensitive data.
功能分析
Type: OpenClaw Skill Name: rankclaw Version: 2.1.0 The RankClaw skill is a security trust layer for AI agents, designed to audit other skills. Its `SKILL.md` provides legitimate instructions for agents to integrate and use its security checking services, including downloading and executing the `mcp_bridge.py` script from its GitHub repository. The `mcp_bridge.py` script functions as a benign proxy, forwarding JSON-RPC requests to the declared `https://api.rankclaw.com/api/mcp/` endpoint without any unauthorized file system access, credential handling, or arbitrary code execution. The `SECURITY_AUDIT.md` file is meta-documentation for human analysts and does not contain executable code or agent instructions. All observed behaviors are consistent with the skill's stated purpose, with no evidence of malicious intent or significant vulnerabilities.
能力评估
Purpose & Capability
The name and description (an external trust/audit service) align with the provided files: SKILL.md documents remote checks and an MCP API, and mcp_bridge.py proxies MCP traffic to https://api.rankclaw.com/api/mcp/. Requesting no env vars and no local privileged installs is proportionate to a remote auditing service. The capability to call out to a remote API is coherent with the claimed purpose.
Instruction Scope
SKILL.md instructs agents to register RankClaw as an MCP server (persistent config change) and to call rankclaw_check/rankclaw_score RPCs. The SKILL.md also contains a flagged prompt-injection token ('ignore-previous-instructions'), which suggests either an adversarial attempt to manipulate agent behavior or a false positive in pattern-matching; either way it deserves human review. The document also recommends curling a bridge script from raw.githubusercontent.com (a runtime download) — the skill both bundles a bridge and suggests downloading it, and there is a filename inconsistency in examples (mcp_bridge.py vs rankclaw_mcp_bridge.py).
Install Mechanism
There is no declared install spec (instruction-only), which limits on-disk installs. However SKILL.md recommends curling a raw GitHub URL (https://raw.githubusercontent.com/RankClaw/rankclaw/main/mcp_bridge.py) — GitHub raw is a common source but still a runtime download that executes locally. The package also bundles mcp_bridge.py, so the curl instruction is redundant and the filename mismatch is a coherence issue to review.
Credentials
The package declares no required environment variables or credentials, which is proportional. That said, registering an MCP server hands a remote service the ability to receive whatever the agent sends (skill names, possibly SKILL.md content or other context depending on client behavior). The skill itself doesn't request secrets, but the network proxy behavior means sensitive local data could be transmitted indirectly depending on how the agent calls the remote API.
Persistence & Privilege
The SKILL.md explicitly instructs users/agents to add RankClaw to persistent agent config files (~/.nanobot/config.json, .mcp.json). That creates an ongoing outbound channel to a third-party server. 'always' is false, and the skill doesn't force installation, but instructing persistent config changes increases the blast radius and should be treated carefully.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install rankclaw
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /rankclaw 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.0
**Major update: Expanded documentation and improved guidance for agent security checks.** - Added a comprehensive SKILL.md describing RankClaw’s purpose, trust layer features, and security evaluation process. - Detailed integration steps for OpenClaw, nanoclaw, picoclaw, nanobot, and MCP-compatible clients. - Explained audit criteria and attack pattern detection: prompt injection, phantom prerequisites, brand impersonation, credential staging, supply chain pivots, and scope creep. - Outlined agent decision protocols, score interpretation, and examples for safer skill installation workflows. - Provided new sections for direct API usage, score freshness, leaderboard access, badge embedding, and guidance for skill authors.
元数据
Slug rankclaw
版本 2.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

RankClaw 是什么?

RankClaw — AI Agent Trust Layer. Check any ClawHub, OpenClaw, nanobot, nanoclaw, picoclaw, or MCP server skill against 14,700+ indexed tools before installin... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 305 次。

如何安装 RankClaw?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install rankclaw」即可一键安装,无需额外配置。

RankClaw 是免费的吗?

是的,RankClaw 完全免费(开源免费),可自由下载、安装和使用。

RankClaw 支持哪些平台?

RankClaw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 RankClaw?

由 tudoanh(@tudoanh)开发并维护,当前版本 v2.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论