{ "schemaVersion": "1.0", "item": { "slug": "skill-trust-auditor", "name": "Skill Trust Auditor", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/JonathanJing/skill-trust-auditor", "canonicalUrl": "https://clawhub.ai/JonathanJing/skill-trust-auditor", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/skill-trust-auditor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=skill-trust-auditor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "SKILL.md", "references/clawhavoc-patterns.md", "scripts/analyze_skill.py", "scripts/audit.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/skill-trust-auditor" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/skill-trust-auditor", "agentPageUrl": "https://openagent3.xyz/skills/skill-trust-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/skill-trust-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/skill-trust-auditor/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Skill Trust Auditor", "body": "Audit any ClawHub skill for security risks before installation." }, { "title": "1. Ask OpenClaw (Recommended)", "body": "Tell OpenClaw: \"Install the skill-trust-auditor skill.\" The agent will handle the installation and configuration automatically." }, { "title": "2. Manual Installation (CLI)", "body": "If you prefer the terminal, run:\n\nclawhub install skill-trust-auditor" }, { "title": "Setup (first run only)", "body": "bash scripts/setup.sh" }, { "title": "Audit a Skill", "body": "When user says \"audit [skill-name]\" or \"is [skill-name] safe\" or before any clawhub install:\n\nbash scripts/audit.sh [skill-name-or-url]\n# Example:\nbash scripts/audit.sh steipete/clawhub\nbash scripts/audit.sh https://clawhub.ai/someuser/someskill\n\nOutput:\n\n{\n \"skill\": \"someuser/someskill\",\n \"trust_score\": 72,\n \"verdict\": \"INSTALL WITH CAUTION\",\n \"risks\": [\n {\"level\": \"HIGH\", \"pattern\": \"curl to external domain\", \"location\": \"scripts/sync.sh:14\"},\n {\"level\": \"MEDIUM\", \"pattern\": \"reads MEMORY.md\", \"location\": \"SKILL.md:23\"}\n ],\n \"safe_patterns\": [\"no env var access\", \"no self-modification\"],\n \"author_verified\": false,\n \"recommendation\": \"Review scripts/sync.sh:14 before installing. The external curl call could exfiltrate data.\"\n}\n\nPost to user with clear summary:\n\n🛡️ Trust Audit: someuser/someskill\nScore: 72/100 — ⚠️ INSTALL WITH CAUTION\n\n🔴 HIGH: curl to unknown domain in scripts/sync.sh:14\n🟡 MEDIUM: reads your MEMORY.md\n\nRecommendation: Inspect line 14 of sync.sh before proceeding.\nRun: clawhub show someuser/someskill --file scripts/sync.sh" }, { "title": "Trust Score Guide", "body": "ScoreVerdictAction90-100✅ SAFEInstall freely70-89⚠️ CAUTIONReview flagged items first50-69🟠 RISKYOnly if you understand the risks0-49🔴 DO NOT INSTALLHigh probability of malicious intent" }, { "title": "Risk Pattern Reference", "body": "HIGH RISK (-30 each):\n\nprocess.env access in scripts\ncurl/wget to non-standard domains\nReading ~/.config or ~/.openclaw directly\nexec() with user-controlled input\nInstructions to modify SOUL.md/AGENTS.md/openclaw.json\n\nMEDIUM RISK (-10 each):\n\nAny outbound API calls (even to known services)\nFile writes outside workspace\nReading MEMORY.md or diary files\n\nLOW RISK (-3 each):\n\nweb_fetch to standard domains\nRead-only file access in workspace" }, { "title": "Auto-Audit Mode", "body": "Optionally prepend audit to every install:\n\n# Add to your shell aliases:\nalias clawhub-safe='bash ~/.openclaw/workspace/skills/skill-trust-auditor/scripts/audit.sh $1 && clawhub install $1'" }, { "title": "ClawHavoc Pattern Reference", "body": "See references/clawhavoc-patterns.md for known malicious patterns from the February 2026 incident. Update this file when new incidents are reported." } ], "body": "Skill Trust Auditor\n\nAudit any ClawHub skill for security risks before installation.\n\n🛠️ Installation\n1. Ask OpenClaw (Recommended)\n\nTell OpenClaw: \"Install the skill-trust-auditor skill.\" The agent will handle the installation and configuration automatically.\n\n2. Manual Installation (CLI)\n\nIf you prefer the terminal, run:\n\nclawhub install skill-trust-auditor\n\nSetup (first run only)\nbash scripts/setup.sh\n\nAudit a Skill\n\nWhen user says \"audit [skill-name]\" or \"is [skill-name] safe\" or before any clawhub install:\n\nbash scripts/audit.sh [skill-name-or-url]\n# Example:\nbash scripts/audit.sh steipete/clawhub\nbash scripts/audit.sh https://clawhub.ai/someuser/someskill\n\n\nOutput:\n\n{\n \"skill\": \"someuser/someskill\",\n \"trust_score\": 72,\n \"verdict\": \"INSTALL WITH CAUTION\",\n \"risks\": [\n {\"level\": \"HIGH\", \"pattern\": \"curl to external domain\", \"location\": \"scripts/sync.sh:14\"},\n {\"level\": \"MEDIUM\", \"pattern\": \"reads MEMORY.md\", \"location\": \"SKILL.md:23\"}\n ],\n \"safe_patterns\": [\"no env var access\", \"no self-modification\"],\n \"author_verified\": false,\n \"recommendation\": \"Review scripts/sync.sh:14 before installing. The external curl call could exfiltrate data.\"\n}\n\n\nPost to user with clear summary:\n\n🛡️ Trust Audit: someuser/someskill\nScore: 72/100 — ⚠️ INSTALL WITH CAUTION\n\n🔴 HIGH: curl to unknown domain in scripts/sync.sh:14\n🟡 MEDIUM: reads your MEMORY.md\n\nRecommendation: Inspect line 14 of sync.sh before proceeding.\nRun: clawhub show someuser/someskill --file scripts/sync.sh\n\nTrust Score Guide\nScore\tVerdict\tAction\n90-100\t✅ SAFE\tInstall freely\n70-89\t⚠️ CAUTION\tReview flagged items first\n50-69\t🟠 RISKY\tOnly if you understand the risks\n0-49\t🔴 DO NOT INSTALL\tHigh probability of malicious intent\nRisk Pattern Reference\n\nHIGH RISK (-30 each):\n\nprocess.env access in scripts\ncurl/wget to non-standard domains\nReading ~/.config or ~/.openclaw directly\nexec() with user-controlled input\nInstructions to modify SOUL.md/AGENTS.md/openclaw.json\n\nMEDIUM RISK (-10 each):\n\nAny outbound API calls (even to known services)\nFile writes outside workspace\nReading MEMORY.md or diary files\n\nLOW RISK (-3 each):\n\nweb_fetch to standard domains\nRead-only file access in workspace\nAuto-Audit Mode\n\nOptionally prepend audit to every install:\n\n# Add to your shell aliases:\nalias clawhub-safe='bash ~/.openclaw/workspace/skills/skill-trust-auditor/scripts/audit.sh $1 && clawhub install $1'\n\nClawHavoc Pattern Reference\n\nSee references/clawhavoc-patterns.md for known malicious patterns from the February 2026 incident. Update this file when new incidents are reported." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/JonathanJing/skill-trust-auditor", "publisherUrl": "https://clawhub.ai/JonathanJing/skill-trust-auditor", "owner": "JonathanJing", "version": "1.1.3", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/skill-trust-auditor", "downloadUrl": "https://openagent3.xyz/downloads/skill-trust-auditor", "agentUrl": "https://openagent3.xyz/skills/skill-trust-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/skill-trust-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/skill-trust-auditor/agent.md" } }