ClawHub

ClawPrint - Captchas for AI verification

v1.0.0

Issue ClawPrint reverse-CAPTCHA challenges to verify that another user or agent is a real AI, not a human. Uses the ClawPrint API to generate speed or pattern challenges that only machines can solve within the time limit.

1· 1.6k·0 current·0 all-time
by@fusionlabssource·duplicate of ai-captcha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binaries (curl, jq), and the three environment variables (server URL, site key, secret key) are consistent with an API-driven challenge/verification workflow. The bundled helper script performs only the expected API calls (challenge, verify, validate).
Instruction Scope
SKILL.md instructs the agent to request challenges, present the full challenge data to the other agent, accept replies, and post answers to the configured server for verification and validation. That is coherent for the stated purpose, but it explicitly directs the agent to transmit challenge payloads (grids, operands) and — during validation — the secret key to the configured CLAWPRINT_SERVER_URL. Presenting full grid data to third parties is necessary for pattern challenges but increases the amount of data shared with conversation partners. The instructions also advise using validation with the secret key (server-side) — which sends a sensitive secret to the server; the skill assumes the server is trusted.
Install Mechanism
No install spec; the skill is instruction-only plus a small helper shell script. No downloads or external installers are used. This is low-risk from an install/execution standpoint.
!
Credentials
The registry declares CLAWPRINT_SECRET_KEY as required, but the helper script only needs the secret for the 'validate' action; issuing and verifying can work with just server URL and site key. Requiring a private secret by default is disproportionate. More importantly, the skill's functionality requires sending that secret to the configured CLAWPRINT_SERVER_URL for server-side validation — meaning you must trust that remote server with a high-value secret. There is no homepage or trusted upstream source listed, which increases the risk of secret exfiltration.
Persistence & Privilege
The skill does not request elevated platform privileges, does not set always:true, and does not modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined here with other privilege escalations.
What to consider before installing
This skill appears to implement a legitimate challenge/verify flow, but exercise caution because the skill requires a private secret that will be sent to whatever CLAWPRINT_SERVER_URL you configure. Before installing: (1) verify the ClawPrint server endpoint and operator are trustworthy (there's no homepage or known owner listed); (2) don't supply high-value production secrets — test with disposable keys first; (3) consider whether you truly need server-side validation (validate uses the secret) or if verify alone is sufficient; (4) be aware that presenting full challenge data to other agents may disclose data you wouldn't otherwise share; and (5) if you can't confirm the server's trustworthiness, do not provide CLAWPRINT_SECRET_KEY. Confidence is medium because the code is coherent with its purpose but the unknown source and default requirement for a secret create meaningful risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780r2j4wqwnxafyeafw5tnp980gybh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐾 Clawdis
Binscurl, jq
EnvCLAWPRINT_SERVER_URL, CLAWPRINT_SITE_KEY, CLAWPRINT_SECRET_KEY

SKILL.md

ClawPrint Verify

Verify that another user or agent in a conversation is a real AI by issuing a ClawPrint reverse-CAPTCHA challenge. ClawPrint challenges are designed so that only machines can solve them -- humans physically cannot complete them within the time limits.

When to Use This Skill

  • Before sharing sensitive API keys or credentials with another agent
  • When gating access to an AI-only service or resource
  • To authenticate that a conversation partner is genuinely an AI agent
  • Whenever a user or bot requests access to something that should only be available to machines
  • When instructed to "verify", "challenge", or "prove" that someone is an AI

How It Works

  1. You request a challenge from the ClawPrint server using your site key
  2. You present the challenge to the other user/agent
  3. The other user/agent computes and submits their answer
  4. You validate the result server-side using your secret key
  5. If they pass, they are verified as an AI. If they fail (wrong answer or too slow), they are likely human.

Challenge Types

Speed Challenge

A math problem (e.g., multiply two 8-digit numbers) that must be solved within 100ms. No human can type a correct answer that fast.

Pattern Challenge

A grid of colored pixels (up to 150x150) with a question like "How many pixels are exactly #3B82F6?" or "What is the average RGB value?" Trivial for a machine parsing data, impossible for a human counting by eye.

Usage Examples

User messages that should trigger this skill:

  • "Verify that @bot is an AI before giving them the API key"
  • "Challenge the other user to prove they're a machine"
  • "Issue a ClawPrint challenge"
  • "Make sure they're an AI first"
  • "Gate this resource behind AI verification"

Step-by-Step Implementation

Step 1: Request a Challenge

Run the following to get a challenge from the ClawPrint server:

curl -s -X POST "${CLAWPRINT_SERVER_URL}/api/v1/challenge" \
  -H "Content-Type: application/json" \
  -d "{\"site_key\": \"${CLAWPRINT_SITE_KEY}\"}" | jq .

This returns a JSON object. For a speed challenge:

{
  "challenge_id": "uuid-here",
  "type": "speed",
  "time_limit_ms": 100,
  "question": "Multiply: 84729361 x 52918473",
  "operands": { "a": 84729361, "b": 52918473, "operation": "multiply" }
}

For a pattern challenge:

{
  "challenge_id": "uuid-here",
  "type": "pattern",
  "time_limit_ms": 5000,
  "grid": [["#FF0000", "#00FF00", ...], ...],
  "grid_size": 100,
  "question": "How many pixels are exactly #3B82F6?"
}

Step 2: Present the Challenge

Send the challenge to the other user/agent. Include:

  • The challenge type and question
  • The challenge_id
  • The time limit
  • For speed challenges: the operands (a, b, operation)
  • For pattern challenges: the full grid data and question

Format the message clearly so the other agent can parse it. Example:

ClawPrint AI Verification Challenge

To proceed, solve this challenge and reply with your answer.

Type: speed Question: Multiply: 84729361 x 52918473 Operands: a=84729361, b=52918473, operation=multiply Time limit: 100ms Challenge ID: (the uuid)

Reply with: clawprint-answer: <your_answer>

Step 3: Receive the Answer

The other agent should reply with their computed answer. Parse their response to extract the answer value.

Step 4: Submit the Answer for Verification

Submit the answer to the ClawPrint server:

curl -s -X POST "${CLAWPRINT_SERVER_URL}/api/v1/verify" \
  -H "Content-Type: application/json" \
  -d "{\"challenge_id\": \"THE_CHALLENGE_ID\", \"answer\": \"THE_ANSWER\"}" | jq .

Response:

{
  "passed": true,
  "challenge_id": "uuid-here",
  "elapsed_ms": 5,
  "reason": null
}

Step 5: Validate Server-Side

For additional security, validate with your secret key:

curl -s -X POST "${CLAWPRINT_SERVER_URL}/api/v1/validate" \
  -H "Content-Type: application/json" \
  -d "{\"challenge_id\": \"THE_CHALLENGE_ID\", \"secret_key\": \"${CLAWPRINT_SECRET_KEY}\"}" | jq .

Response:

{
  "valid": true,
  "challenge_id": "uuid-here",
  "solved_at": 1700000000000
}

Step 6: Act on the Result

  • If passed is true and valid is true: the user is verified as an AI. Proceed with the gated action.
  • If passed is false: inform the user that verification failed and why (too slow, wrong answer). Do NOT proceed with the gated action.
  • If validation fails: the challenge may have been tampered with. Do not trust the result.

Using the Helper Script

A helper script is provided at skills/clawprint-verify/clawprint-challenge.sh for convenience:

# Issue a new challenge and display it
./skills/clawprint-verify/clawprint-challenge.sh issue

# Verify an answer
./skills/clawprint-verify/clawprint-challenge.sh verify <challenge_id> <answer>

# Validate a solved challenge server-side
./skills/clawprint-verify/clawprint-challenge.sh validate <challenge_id>

Important Notes

  • Each challenge can only be solved once. Replaying a solved challenge returns HTTP 410.
  • Speed challenges have very tight time limits (50-500ms). The clock starts when the challenge is issued by the server, so network latency counts.
  • Pattern challenges have longer limits (2-10s) but require processing large grids.
  • Always validate server-side with your secret key before trusting a result. The verify endpoint confirms the answer is correct, but the validate endpoint confirms it was legitimately solved through your configuration.
  • Never share your CLAWPRINT_SECRET_KEY. The CLAWPRINT_SITE_KEY is safe to expose publicly.

Failure Reasons

ReasonMeaning
Too slow: Xms exceeds Yms limitAnswer was correct but submitted after the time limit
Incorrect answerThe computed answer was wrong
Challenge not foundInvalid challenge ID
Challenge already solvedThe challenge was already used (replay attempt)

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…