SaferClaw logo
SaferClawKnow what your tools and skills can do
Back to index
Methodology

How SaferClaw Works

SaferClaw is a capability-based risk index for skills and tools in the OpenClaw ecosystem. It is designed to quickly answer what a tool can do before you enable it.

What the index measures

Every tool is scored on three dimensions using deterministic evidence.

Locality

Where execution happens.

  • Local: local CLI only.
  • Hybrid: local plus remote API.
  • Cloud: hosted service.
Data access

What kind of data can be read.

  • Public: docs and public pages.
  • Personal: calendars or profile data.
  • Sensitive: secrets and tokens.
Actions

What the tool can change.

  • Read: query-only operations.
  • Write: editing files/settings.
  • Execute: shell commands/deployments.

How rating is computed

  • Max-risk rule: if any detected capability is higher, that dimension is bumped to the higher level.
  • Hybrid locality: the tool mixes local execution and cloud services (local+cloud).
  • Each detail page includes evidence links and bullet explanations for why each level was assigned.

How to use this index

  • Use it to triage tools before install or enablement.
  • Use it to compare alternatives with similar features but lower capability risk.
  • Open each tool detail page and follow the recommended Best practices before enabling it.
  • Use it to set approval thresholds for personal devices, team workspaces, and production environments.

Limitations and disclaimer

Methodology and disclaimer
  • This is not a full security audit and not legal advice.
  • Some source data can be incomplete, stale, or missing context.
  • Skills and tools are sourced from ClawHub through automated fetches.
  • Always validate permissions and behavior before enabling tools in production or high-stakes workflows.
  • Important: this system is built for fast coverage, not exhaustive analysis. We do not run full security scans on every skill.
  • Ratings are provided in good faith based on available signals, but they should always be independently verified. No guarantees are made.

Sources and update cadence

  • Ratings are generated from skill metadata, capability signals, and published evidence links.
  • Index data refreshes when the ingest and rating generation pipeline runs.
  • Per-tool pages expose source links used for the current snapshot.

Contribute or report issues

Found a wrong rating or stale evidence? Send a report with the tool slug and what looks incorrect. Seriously, just message me or reply to me on X.

Send feedback on X