You found three OpenClaw skills that all claim to do the same job. One shows a 9.1, one an 8.7, one a 7.4. The reflex is to install the 9.1 and move on. That reflex is the bug. A single rating is an average, and an average discards the one fact you actually needed: which tradeoff you just agreed to.
This shows up across AI dev tools generally. A marketplace UI wants a sortable column, so every skill, plugin, and extension gets crushed into one figure. The figure looks objective. It is not — it is a weighting decision someone else made for you, then hid.
Why a single score hides the decision
A composite number blends qualities that have nothing to do with each other. A skill can earn a 9.1 by being fast, having clean docs, and shipping a slick one-line installer — while quietly requesting unrestricted shell access and calling a network endpoint on every run. Another skill scores 7.4 because it is narrow, the README is thin, and setup takes four manual steps. But it touches nothing outside the directory you point it at.
Averaged together, the safer skill looks like the worse pick. The score never measured safety as something you might weigh more heavily than polish. It folded safety into the same bucket as documentation quality and gave both an equal vote.
It gets worse as raters pile up. If one reviewer cares about speed and another cares about permissions, their scores partly cancel. An 8.7 in the middle is not a consensus that the skill is "pretty good" — it can be two strong, opposite opinions averaged into mush. You cannot recover either signal from the result.
The fix is not a smarter formula. It is refusing to collapse in the first place. Score the axes that matter, keep them apart, and let the reader — you — apply the weighting your situation calls for.
Four axes worth scoring on their own
A workable framework for evaluating OpenClaw skills, and most AI coding assistants and agent extensions, breaks into four independent axes. None of them should be averaged into the others.
Task fit. Does the skill do the specific job you have, not the category it advertises? A "database migration" skill that only targets Postgres is a 10 for your Postgres project and a 0 for your SQLite one. Measure fit against your actual stack and task, not the marketing line. The honest score here is often binary per use case.
Security surface. What can the skill reach, and what does it do with that reach? Concretely: which scopes does it request on install, does it execute shell commands, does it make outbound network calls, does it pull third-party code at runtime. A skill that runs offline inside one folder is a different risk class from one that pipes your repo contents to an API you have never heard of.
Install friction. Count the steps from "decided to try it" to "running." A one-line install with sane defaults is low friction. Required API keys, hand-edited config files, and undocumented dependencies are high friction. This axis is low-stakes alone — but high friction multiplied across a dozen skills is how an environment becomes unreproducible.
Update activity. When was the last commit, how often do releases ship, how fast do reported issues get a response. A skill last touched fourteen months ago is a maintenance bet you are making with your own time. This is not about star counts; it is about whether someone will fix the thing when your toolchain moves under it.
Security surface is the axis a blended score corrupts most. A skill can rank near the top overall and still request broad filesystem and network access you would never grant if it were shown on its own line. Read the requested permissions before you install — the composite rating never will.
Reading four numbers instead of one
Four axes give you a small profile per skill instead of a rank. The point of the profile is that you weight it, and the weighting shifts with context.
Running a skill in CI, unattended, against a production repo? Security surface and update activity dominate, and install friction barely matters because you pay it once inside a Docker image. Trying a skill locally for a throwaway experiment? Task fit and install friction are what you feel; a stale last-commit date is survivable for an afternoon.
This is also how you compare skills honestly. Put the candidates side by side on all four axes and the tradeoff becomes visible: skill A wins on task fit, skill B wins on security, and now you are making a decision instead of trusting an average to have made it silently. A comparison table with one row per axis does more for the choice than any leaderboard.
The same discipline applies to the AI coding assistant itself, not only its skills. Editors and agents get reduced to one-line verdicts constantly. Break the verdict apart — how it handles your language, what it sends to a server, how often it ships — and the comparison stops being a popularity contest.
Keep the framework light. Four axes, scored on their own, written down somewhere you will see them. You do not need a rubric with decimals. You need to stop pretending one number can carry four separate decisions.
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)