← Back to Skills Marketplace
g1at

ClawLock-Rank

by g0at · GitHub ↗ · v1.1.0 · MIT-0
cross-platform ⚠ suspicious
104
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install clawlock-rank
Description
ClawLockRank — 基于 ClawLock 2.2.1+ 本地体检结果的排行榜上传技能。 仅当用户明确要上传安全分、上传体检成绩、提交排行榜结果、同步分数到 ClawLockRank 时触发。 不要在普通安全体检、安全加固、调试开发、安装依赖或仅浏览榜单时触发。
README (SKILL.md)

ClawLockRank

基于 ClawLock 体检结果构建的排行榜上传技能,面向“本地完成体检后,自愿把成绩同步到 ClawLockRank”的场景。 English Version → SKILL_EN.md

安装与使用

python scripts/submit_score.py
python scripts/submit_score.py --preview-only

触发边界

仅在用户明确要求上传排行榜成绩时触发。

用户意图 执行动作
上传安全分 / 上传体检成绩 / 提交排行榜结果 启动本 skill
普通安全体检 / 安全加固 / 版本检查 交给 ClawLock 主 skill 或直接调用 clawlock CLI
仅浏览榜单 / 介绍项目 / 调试脚本 不触发本 skill

常见触发词:

  • 上传安全分
  • 上传安全体检分数
  • 上传排行榜
  • 提交体检成绩
  • 把这次体检结果上传到 ClawLockRank
  • 同步分数到 ClawLockRank

如果用户只是说“开始安全体检”或“帮我加固”,优先交给 ClawLock 主 skill,而不是本 skill。

单一事实来源

  • 体检结果以 clawlock scan --format json 为唯一事实来源。
  • 只使用 ClawLock JSON 里明确给出的字段,不自行补造步骤计数、风险总表或额外结论。
  • 对用户的说明分成两层:
    • ClawLock 结果:只转述 CLI 已经给出的分数、等级、适配器、版本和 findings。
    • 影响说明:再用自然语言解释为什么值得上传、哪些字段会公开。
  • 如果当前环境里的 clawlock 版本低于 2.2.1,先提示用户升级,再继续后续动作。

隐私与上传范围

默认先在本地执行体检,只有在用户明确确认后才会上传。

允许上传的字段仅包括:

  • tool
  • clawlock_version
  • adapter
  • adapter_version
  • device_fingerprint
  • evidence_hash
  • score
  • grade
  • nickname
  • findings[].scanner
  • findings[].level
  • findings[].title
  • timestamp

明确不会上传:

  • 原始配置文件
  • remediation / 修复建议文本
  • 本地文件路径或 location
  • 环境变量
  • 完整原始扫描报告
  • scan_history.json

设备指纹说明:

  • 原始 device_fingerprint 只发送给排行榜 Worker
  • Worker 会在服务端做加盐哈希后再入库
  • 前端不会公开展示原始设备指纹

Claw 场景下的推荐流程

把脚本视作“后台执行器”,对话和确认由模型负责,不要把脚本提示直接当成最终用户体验。

在开始预览前,先输出一行启动提示:

🔍 ClawLockRank 正在准备本地体检结果上传预览,请稍候...

推荐顺序:

  1. 先运行预览命令:
python scripts/submit_score.py --preview-only

  1. 读取预览 JSON,向用户说明:

    • 当前分数和等级
    • 适配器与版本
    • finding 数量
    • 将公开上传的字段
    • 明确不会上传的字段

  2. 告知用户排行榜会公开显示一个昵称,并先询问昵称:

    • 留空则使用 Anonymous

  3. 再询问是否确认上传。

  4. 只有在用户明确同意后,才执行:

python scripts/upload.py --input \x3Cpayload_path> --nickname "\x3Cnickname>" --yes

其中 \x3Cpayload_path> 使用预览结果里的 payload_path

如果是终端手动使用,也可以直接运行:

python scripts/submit_score.py

兼容性与降级规则

  • 当前排行榜面向 OpenClaw 安全体检分数,脚本默认以 --adapter openclaw 调用 ClawLock。
  • 如需别的适配器,可显式传入 --adapter 覆盖默认值。
  • 如果 clawlock scan 失败,直接把 CLI 的错误返回给用户,不要二次改写成“已通过”。
  • 如果用户拒绝上传,明确说明:“已取消上传,本地结果未外传。”
  • 如果 Worker 因冷却期、时间戳过旧或频率限制拒绝上传,直接展示 Worker 返回的错误。

服务端限制说明

排行榜后端会额外执行以下限制:

  • 同一设备默认 24 小时冷却
  • 只接受最近一段时间内生成的扫描结果
  • 同一 IP 有单独的频率限制
  • 榜单和安全漏洞热点都只按设备最新一条有效结果统计

语言适配

  • 面向用户的说明跟随用户当前语言。
  • clawlock scan --format json 作为结构化输入,不依赖 CLI 文本语言。
  • 如用户显式设置 CLAWLOCK_LANG=zh,继续按中文对话即可;未设置或使用英文时,使用英文说明。
Usage Guidance
This skill is largely coherent with its stated purpose: it runs a local ClawLock JSON scan, builds a sanitized payload, shows a preview, and uploads only after explicit confirmation. Before installing or using it: (1) inspect skill/config.json — it contains a default api_base (https://clawlock-rank-worker.dyyxml.workers.dev). If you don't trust that host, override it with --api-base or set CLAWLOCK_RANK_API_BASE to a trusted endpoint. (2) Understand that the skill sends the raw device_fingerprint and an evidence_hash derived from the entire scan report to the remote Worker; although the skill says raw configs and full reports are not uploaded, the evidence_hash is deterministic and could be used to correlate or fingerprint data. (3) Prefer the preview flow (--preview-only) to examine the sanitized payload before any network transmission. If you need higher assurance, ask the maintainer for details about how the Worker processes and stores device identifiers (e.g., server-side salting/hashing policy) or host your own Worker and point the skill to it. If you want this evaluated as fully benign, provide the Worker server's provenance (repository or operator) and confirm whether evidence_hash is computed from a reduced set of fields rather than the entire raw report.
Capability Analysis
Type: OpenClaw Skill Name: clawlock-rank Version: 1.1.0 The clawlock-rank skill is designed to upload security scan results to a public leaderboard. The code in scripts/run_scan.py and scripts/upload.py implements strict sanitization to ensure only non-sensitive fields (e.g., scores, finding titles, tool versions) are transmitted, explicitly excluding environment variables and local file paths. The SKILL.md instructions require the AI agent to provide a preview and obtain explicit user confirmation before calling the upload script, which sends data to a Cloudflare Worker endpoint (clawlock-rank-worker.dyyxml.workers.dev).
Capability Assessment
Purpose & Capability
Name/description, CLI guidance, and included scripts all focus on producing a sanitized payload from `clawlock scan --format json` and uploading it to a Worker endpoint. Declared runtime requirements (python >=3.9, clawlock>=2.2.1, clawlock CLI) line up with the code which calls the clawlock binary and normalizes its JSON output.
Instruction Scope
SKILL.md instructs the agent to run local scan->preview->ask user->upload and the scripts implement preview and confirmation. This is coherent and limits action to user-approved uploads. One nuance: the evidence_hash is computed from the full scan_report (run_scan.build_evidence_hash uses entire scan_report canonicalization) — although the skill promises not to upload the full raw report, creating a deterministic hash over the full report may leak information (or be used to correlate reports). This is a privacy/design detail users should be aware of.
Install Mechanism
Instruction-only skill (no installer). Provided Python scripts are included in the bundle and run locally; no external packages are downloaded by the skill itself. This is the lowest install risk.
Credentials
The skill declares no required credentials or env vars. It does optionally read CLAWLOCK_RANK_API_BASE and will use skill/config.json's api_base by default. config.json points to https://clawlock-rank-worker.dyyxml.workers.dev (a third-party Worker endpoint). Sending device_fingerprint and evidence_hash to that endpoint (even if server salts/hashes it) is functionally required for uploading and is proportionate to the uploader purpose, but users should confirm they trust the remote host. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills. It operates as a local script and only performs network calls when the user (or CLI flags) requests upload.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawlock-rank
  3. After installation, invoke the skill by name or use /clawlock-rank
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
ClawLockRank 1.1.0 — 针对最新 ClawLock 环境、流程与兼容性进行完善: - 支持 ClawLock 2.2.1+,增加最低依赖版本与详细适配平台说明。 - 明确以 ClawLock JSON 体检为唯一数据来源,细化随版本同步的字段上传范围和隐私保护规则。 - 完善触发边界,强调仅在用户明确上传排行榜意图时激活,排除普通体检、加固等场景。 - 补充支持推荐流程、榜单昵称、字段列表展现和多语言说明,提升交互一致性。 - 服务端安全策略、降级与异常处理说明更详细,明确用户体验优先级和出错反馈策略。
v1.0.0
- Initial release of clawlock-rank. - Enables uploading ClawLock security score results to a public leaderboard, only upon explicit user intent. - Clearly separates trigger conditions: upload only when user requests, never during local scans, viewing leaderboard, or development. - Upload includes only selected fields for privacy; sensitive or detailed local data is never sent. - Requires explicit user confirmation before uploading any data; preview shown ahead of upload. - Handles errors and user refusal clearly, ensuring local results remain private unless confirmed.
Metadata
Slug clawlock-rank
Version 1.1.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is ClawLock-Rank?

ClawLockRank — 基于 ClawLock 2.2.1+ 本地体检结果的排行榜上传技能。 仅当用户明确要上传安全分、上传体检成绩、提交排行榜结果、同步分数到 ClawLockRank 时触发。 不要在普通安全体检、安全加固、调试开发、安装依赖或仅浏览榜单时触发。 It is an AI Agent Skill for Claude Code / OpenClaw, with 104 downloads so far.

How do I install ClawLock-Rank?

Run "/install clawlock-rank" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ClawLock-Rank free?

Yes, ClawLock-Rank is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ClawLock-Rank support?

ClawLock-Rank is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ClawLock-Rank?

It is built and maintained by g0at (@g1at); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments