ratemyclaw Security Report — Low Risk | ClawSafe

20 /100

ratemyclaw

Scores an OpenClaw agent setup by scanning the workspace, generating local embeddings, and submitting taxonomy tags + embeddings to ratemyclaw.com for comparison.

A legitimate workspace-profiling tool that scans files and sends structured tags + embeddings to an external API. Minor documentation gaps around model config exposure, but no malicious behavior found.

Skill Nameratemyclaw

Duration55.6s

Enginepi

✓

Safe to install

Consider documenting model name transmission in SKILL.md and pinning scikit-learn to a specific version.

Findings 4 items

Severity	Finding	Location
Low	Model configuration transmitted without documentation Doc Mismatch The _detect_models() function reads ~/.openclaw/openclaw.json and extracts default_model, fallback_models, and heartbeat_model strings, which are included in the API submission payload. The SKILL.md 'What Gets Sent' section does not list model names, creating a doc-to-code mismatch. `models = {'default_model': None, 'fallback_models': [], 'heartbeat_model': None}` → Add model names to the 'What Gets Sent' section of SKILL.md, or remove model extraction from the submission payload.	`scripts/profile_generator.py:169`
Low	Dependency version not pinned Supply Chain requirements.txt specifies 'scikit-learn>=1.0' with no upper bound. This allows pip to install any future version, which could introduce malicious or vulnerable code. `scikit-learn>=1.0` → Pin to a specific version, e.g., scikit-learn==1.5.2	`requirements.txt:1`
Low	Undeclared subprocess shell execution Priv Escalation submit_profile.py executes pip install via subprocess.run() when scikit-learn is missing, but SKILL.md does not declare that this skill will execute shell commands. `subprocess.run([sys.executable, '-m', 'pip', 'install', '-r', str(req_file)])` → Declare subprocess/shell capability in SKILL.md metadata or remove the auto-install feature.	`scripts/submit_profile.py:164`
Info	Accesses .secrets directory but only reads file names Sensitive Access The scanner enumerates file names in ~/.openclaw/workspace/.secrets/ and includes them as integration signals. This is low-risk as only names (not contents) are read, and they are matched against a fixed taxonomy rather than exfiltrated raw. `elif subdir == '.secrets': signals['secrets'] = [f.name for f in items]` → No action needed; behavior is benign but could be documented.	`scripts/profile_generator.py:88`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: workspace scan, scripts/profile_generator.py:31-100
Network	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: 'submits tags + embedding to ratemyclaw.com', scripts/submit_profile.p…
Environment	`READ`	`READ`	✓ Aligned	SKILL.md: RATEMYCLAW_API_KEY env var, scripts/submit_profile.py:25
Shell	`NONE`	`WRITE`	✗ Violation	scripts/submit_profile.py:164: subprocess.run(['pip', 'install', '-r', req_file]…
Skill Invoke	`NONE`	`NONE`	—	No skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

3 findings

🔗

Medium External URL 外部 URL

https://ratemyclaw.com**

README.md:7

🔗

Medium External URL 外部 URL

https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2

README.md:19

🔗

Medium External URL 外部 URL

https://ratemyclaw.com

SKILL.md:7

File Tree

8 files · 48.0 KB · 1403 lines

Python 2f · 900L JSON 3f · 330L Markdown 2f · 172L Text 1f · 1L

├─ ▾ 📁 references

│ └─ 📋 taxonomy.json JSON 259L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 📋 generated_profile.json JSON 66L · 1.3 KB

│ ├─ 🐍 profile_generator.py Python 561L · 23.0 KB

│ └─ 🐍 submit_profile.py Python 339L · 12.0 KB

├─ 📋 _meta.json JSON 5L · 129 B

├─ 📝 README.md Markdown 62L · 2.3 KB

├─ 📄 requirements.txt Text 1L · 18 B

└─ 📝 SKILL.md Markdown 110L · 4.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`scikit-learn`	`>=1.0`	pip	No	Version not pinned; >=1.0 allows any version

Security Positives

✓ No credential theft: API keys and tokens are never read or exfiltrated

✓ No base64-encoded or obfuscated code found

✓ No remote script execution (curl|bash, wget|sh) detected

✓ No direct IP network requests; all traffic goes to ratemyclaw.com domain

✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env reading)

✓ No C2 communication or reverse shell patterns

✓ Taxonomy-based tagging limits data exposure to predefined labels only

✓ User confirmation required before API key generation

✓ Embedding generation is local (MiniLM/TF-IDF) before transmission

✓ Raw file contents are explicitly excluded from submissions per documentation

✓ Good: API key file saved with chmod 600

✓ Good: Input prompts support non-interactive --yes flag for automation

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives