by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's functionality (a cloud API that verifies documents/code) is plausible, but there are inconsistent declarations about required credentials and data storage that warrant caution before installing or sending sensitive content.
评估建议
This skill appears to call a cloud API to analyze and certify documents/code, which is consistent with its description — but before you install or use it, confirm two things with the vendor or skill author: (1) the skill does require a GAUNTLET_API_KEY (the SKILL.md shows this) even though the registry summary omitted it; (2) clarify the data-retention model — the README both says 'documents processed in memory and not stored' and that it maintains a persistent 'knowledge graph' of verified clai...详细分析 ▾
ℹ 用途与能力
The name/description match the SKILL.md examples (POST to https://api.gauntletscore.com/v1/analyze and GET job status). Requiring an API key for a SaaS verification service is expected. Minor mismatch: SKILL.md advertises a 'Sovereign Edition' that runs on-prem, but the provided instructions only show a cloud API; that's a capability/marketing mismatch to clarify.
ℹ 指令范围
Runtime instructions are limited and explicit: submit document or source_url to the remote API and poll results. This stays within the stated purpose. However, the doc contains contradictory claims about storage: it says 'Documents are processed in memory and not stored' but also states 'Every verified and debunked claim is stored in a persistent knowledge graph,' which implies some form of server-side persistence of derived data. That contradiction affects privacy expectations and should be clarified.
✓ 安装机制
No install spec and no code files — lowest-risk delivery model. The skill is instruction-only and will rely on the platform's normal network capabilities.
⚠ 凭证需求
Registry metadata listed no required environment variables, but the SKILL.md's embedded clawdbot config explicitly lists GAUNTLET_API_KEY as required. That inconsistency is important: the skill will need a secret API key for the service, despite the registry summary saying none. No unrelated credentials are requested, but the mismatch in declarations is a red flag.
ℹ 持久化与权限
The skill does not set always:true and requests no special local privileges. The primary privacy/privilege concern is network egress to api.gauntletscore.com (the service will receive submitted content). The apparent server-side 'knowledge graph' persistence increases blast radius for sensitive data if it is in fact retained.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install gauntletscore
镜像加速npx clawhub@latest install gauntletscore --registry https://cn.longxiaskill.com