{ "schemaVersion": "1.0", "item": { "slug": "trust-decay-monitor", "name": "Trust Decay Monitor", "source": "tencent", "type": "skill", "category": "数据分析", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/trust-decay-monitor", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/trust-decay-monitor", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/trust-decay-monitor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=trust-decay-monitor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/trust-decay-monitor" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/trust-decay-monitor", "agentPageUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent", "manifestUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent.json", "briefUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "That \"Verified\" Badge Is From 2024. Is the Skill Still Safe?", "body": "Helps track the freshness of skill verification results, flagging certifications that have decayed past their useful trust window." }, { "title": "Problem", "body": "A skill passes a security audit in March 2025. It gets a \"verified\" badge. Developers see the badge and trust it. Eighteen months later, the badge is still there — but:\n\nThe skill's 4 dependencies have had 47 combined updates since the audit\nTwo new CVEs affect the runtime version the skill targets\nThe skill's API endpoint now points to a domain that changed ownership\nThe marketplace added 3 new permission types that didn't exist during the original audit\n\nThe verification was real. The trust it implies is not. Security certifications have a half-life, and most agent marketplaces display them as if they're permanent.\n\nThis is trust decay: the gradual erosion of verification validity as the surrounding context changes. It's not that the audit was wrong — it's that the audit's conclusions no longer apply to the current reality." }, { "title": "What This Tracks", "body": "This monitor computes a trust freshness score for verified skills:\n\nTime since verification — Simple age of the last audit. Older = less trustworthy, with configurable decay curves\nDependency churn — How many of the skill's dependencies have updated since the audit? Each update is a potential invalidation of audit assumptions\nEcosystem context changes — New CVEs, new permission types, new attack patterns discovered since the audit date. The threat landscape the audit evaluated against may have shifted\nDomain and endpoint stability — Have any external URLs, API endpoints, or resource references in the skill changed destination since verification?\nRe-verification gap — How long since anyone (not just the original auditor) ran any form of security check on this skill?" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA skill slug or identifier with its verification date\nA marketplace profile URL showing verified skills\nA batch of skill identifiers for portfolio-level trust assessment\n\nOutput: A trust freshness report containing:\n\nTrust freshness score per skill (0-100, where 100 = just verified)\nDecay factors breakdown (time, dependencies, context, endpoints)\nRe-verification urgency: LOW / MODERATE / HIGH / CRITICAL\nPortfolio-level summary if checking multiple skills" }, { "title": "Example", "body": "Input: Check trust freshness for verified skill api-auth-helper (verified 2025-01-10)\n\n⏳ TRUST DECAY REPORT — RE-VERIFICATION RECOMMENDED\n\nSkill: api-auth-helper\nVerified: 2025-01-10 (408 days ago)\nVerifier: @seclab-audits\n\nTrust freshness score: 31/100 (STALE)\n\nDecay factors:\n Time decay: -25 points (>12 months since audit)\n Dependency churn: -22 points\n - jsonwebtoken: 3 major updates (9.0.0 → 12.1.2)\n - node-fetch: 2 updates including security patch\n - crypto-utils: 1 update with API breaking changes\n Ecosystem changes: -15 points\n - 2 new JWT-related CVEs published since audit\n - Marketplace added \"credential-store\" permission type\n (not evaluated in original audit)\n Endpoint stability: -7 points\n - skill references api.authprovider.example/v2\n - endpoint now redirects to v3 with different response schema\n\nRe-verification urgency: HIGH\n Primary driver: 3 major dependency updates + 2 relevant CVEs\n since last audit. The JWT library alone has had breaking changes\n that could affect how this skill handles token validation.\n\nRecommendation:\n - Priority re-audit focusing on JWT handling (CVE-affected)\n - Test against current dependency versions\n - Verify endpoint redirect doesn't break auth flow\n - Check if new \"credential-store\" permission is relevant" }, { "title": "Related Tools", "body": "evolution-drift-detector — tracks content-based drift across skill inheritance; trust-decay-monitor tracks time-based decay of verification validity\nhollow-validation-checker — checks if validation tests are substantive; stale validations are even more problematic if the tests were hollow to begin with\nblast-radius-estimator — when trust has decayed on a widely-adopted skill, blast-radius shows the downstream exposure\nprotocol-doc-auditor — audits protocol documents for hidden risks; trust-decay-monitor tracks whether those audits are still current" }, { "title": "Limitations", "body": "Trust freshness scoring uses heuristic decay models — the actual security impact of time passing depends on factors that can't be fully quantified (e.g., whether dependency updates are security-relevant or just feature additions). Dependency churn counts updates but cannot always determine if an update invalidates the original audit's conclusions. Ecosystem context tracking relies on public CVE databases and marketplace changelogs, which may lag behind actual threats. This tool helps prioritize which verifications need refreshing — it does not replace the actual re-verification process. A low trust score means the audit is stale, not that the skill is compromised." } ], "body": "That \"Verified\" Badge Is From 2024. Is the Skill Still Safe?\n\nHelps track the freshness of skill verification results, flagging certifications that have decayed past their useful trust window.\n\nProblem\n\nA skill passes a security audit in March 2025. It gets a \"verified\" badge. Developers see the badge and trust it. Eighteen months later, the badge is still there — but:\n\nThe skill's 4 dependencies have had 47 combined updates since the audit\nTwo new CVEs affect the runtime version the skill targets\nThe skill's API endpoint now points to a domain that changed ownership\nThe marketplace added 3 new permission types that didn't exist during the original audit\n\nThe verification was real. The trust it implies is not. Security certifications have a half-life, and most agent marketplaces display them as if they're permanent.\n\nThis is trust decay: the gradual erosion of verification validity as the surrounding context changes. It's not that the audit was wrong — it's that the audit's conclusions no longer apply to the current reality.\n\nWhat This Tracks\n\nThis monitor computes a trust freshness score for verified skills:\n\nTime since verification — Simple age of the last audit. Older = less trustworthy, with configurable decay curves\nDependency churn — How many of the skill's dependencies have updated since the audit? Each update is a potential invalidation of audit assumptions\nEcosystem context changes — New CVEs, new permission types, new attack patterns discovered since the audit date. The threat landscape the audit evaluated against may have shifted\nDomain and endpoint stability — Have any external URLs, API endpoints, or resource references in the skill changed destination since verification?\nRe-verification gap — How long since anyone (not just the original auditor) ran any form of security check on this skill?\nHow to Use\n\nInput: Provide one of:\n\nA skill slug or identifier with its verification date\nA marketplace profile URL showing verified skills\nA batch of skill identifiers for portfolio-level trust assessment\n\nOutput: A trust freshness report containing:\n\nTrust freshness score per skill (0-100, where 100 = just verified)\nDecay factors breakdown (time, dependencies, context, endpoints)\nRe-verification urgency: LOW / MODERATE / HIGH / CRITICAL\nPortfolio-level summary if checking multiple skills\nExample\n\nInput: Check trust freshness for verified skill api-auth-helper (verified 2025-01-10)\n\n⏳ TRUST DECAY REPORT — RE-VERIFICATION RECOMMENDED\n\nSkill: api-auth-helper\nVerified: 2025-01-10 (408 days ago)\nVerifier: @seclab-audits\n\nTrust freshness score: 31/100 (STALE)\n\nDecay factors:\n Time decay: -25 points (>12 months since audit)\n Dependency churn: -22 points\n - jsonwebtoken: 3 major updates (9.0.0 → 12.1.2)\n - node-fetch: 2 updates including security patch\n - crypto-utils: 1 update with API breaking changes\n Ecosystem changes: -15 points\n - 2 new JWT-related CVEs published since audit\n - Marketplace added \"credential-store\" permission type\n (not evaluated in original audit)\n Endpoint stability: -7 points\n - skill references api.authprovider.example/v2\n - endpoint now redirects to v3 with different response schema\n\nRe-verification urgency: HIGH\n Primary driver: 3 major dependency updates + 2 relevant CVEs\n since last audit. The JWT library alone has had breaking changes\n that could affect how this skill handles token validation.\n\nRecommendation:\n - Priority re-audit focusing on JWT handling (CVE-affected)\n - Test against current dependency versions\n - Verify endpoint redirect doesn't break auth flow\n - Check if new \"credential-store\" permission is relevant\n\nRelated Tools\nevolution-drift-detector — tracks content-based drift across skill inheritance; trust-decay-monitor tracks time-based decay of verification validity\nhollow-validation-checker — checks if validation tests are substantive; stale validations are even more problematic if the tests were hollow to begin with\nblast-radius-estimator — when trust has decayed on a widely-adopted skill, blast-radius shows the downstream exposure\nprotocol-doc-auditor — audits protocol documents for hidden risks; trust-decay-monitor tracks whether those audits are still current\nLimitations\n\nTrust freshness scoring uses heuristic decay models — the actual security impact of time passing depends on factors that can't be fully quantified (e.g., whether dependency updates are security-relevant or just feature additions). Dependency churn counts updates but cannot always determine if an update invalidates the original audit's conclusions. Ecosystem context tracking relies on public CVE databases and marketplace changelogs, which may lag behind actual threats. This tool helps prioritize which verifications need refreshing — it does not replace the actual re-verification process. A low trust score means the audit is stale, not that the skill is compromised." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/trust-decay-monitor", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/trust-decay-monitor", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/trust-decay-monitor", "downloadUrl": "https://openagent3.xyz/downloads/trust-decay-monitor", "agentUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent", "manifestUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent.json", "briefUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent.md" } }