# Send Trust Decay Monitor to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "trust-decay-monitor",
    "name": "Trust Decay Monitor",
    "source": "tencent",
    "type": "skill",
    "category": "数据分析",
    "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/trust-decay-monitor",
    "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/trust-decay-monitor",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/trust-decay-monitor",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=trust-decay-monitor",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-23T16:43:11.935Z",
      "expiresAt": "2026-04-30T16:43:11.935Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
        "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null
      },
      "scope": "source",
      "summary": "Source download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this source.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/trust-decay-monitor"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/trust-decay-monitor",
    "downloadUrl": "https://openagent3.xyz/downloads/trust-decay-monitor",
    "agentUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent",
    "manifestUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/trust-decay-monitor/agent.md"
  }
}
```
## Documentation

### That "Verified" Badge Is From 2024. Is the Skill Still Safe?

Helps track the freshness of skill verification results, flagging certifications that have decayed past their useful trust window.

### Problem

A skill passes a security audit in March 2025. It gets a "verified" badge. Developers see the badge and trust it. Eighteen months later, the badge is still there — but:

The skill's 4 dependencies have had 47 combined updates since the audit
Two new CVEs affect the runtime version the skill targets
The skill's API endpoint now points to a domain that changed ownership
The marketplace added 3 new permission types that didn't exist during the original audit

The verification was real. The trust it implies is not. Security certifications have a half-life, and most agent marketplaces display them as if they're permanent.

This is trust decay: the gradual erosion of verification validity as the surrounding context changes. It's not that the audit was wrong — it's that the audit's conclusions no longer apply to the current reality.

### What This Tracks

This monitor computes a trust freshness score for verified skills:

Time since verification — Simple age of the last audit. Older = less trustworthy, with configurable decay curves
Dependency churn — How many of the skill's dependencies have updated since the audit? Each update is a potential invalidation of audit assumptions
Ecosystem context changes — New CVEs, new permission types, new attack patterns discovered since the audit date. The threat landscape the audit evaluated against may have shifted
Domain and endpoint stability — Have any external URLs, API endpoints, or resource references in the skill changed destination since verification?
Re-verification gap — How long since anyone (not just the original auditor) ran any form of security check on this skill?

### How to Use

Input: Provide one of:

A skill slug or identifier with its verification date
A marketplace profile URL showing verified skills
A batch of skill identifiers for portfolio-level trust assessment

Output: A trust freshness report containing:

Trust freshness score per skill (0-100, where 100 = just verified)
Decay factors breakdown (time, dependencies, context, endpoints)
Re-verification urgency: LOW / MODERATE / HIGH / CRITICAL
Portfolio-level summary if checking multiple skills

### Example

Input: Check trust freshness for verified skill api-auth-helper (verified 2025-01-10)

⏳ TRUST DECAY REPORT — RE-VERIFICATION RECOMMENDED

Skill: api-auth-helper
Verified: 2025-01-10 (408 days ago)
Verifier: @seclab-audits

Trust freshness score: 31/100 (STALE)

Decay factors:
  Time decay:           -25 points (>12 months since audit)
  Dependency churn:     -22 points
    - jsonwebtoken: 3 major updates (9.0.0 → 12.1.2)
    - node-fetch: 2 updates including security patch
    - crypto-utils: 1 update with API breaking changes
  Ecosystem changes:    -15 points
    - 2 new JWT-related CVEs published since audit
    - Marketplace added "credential-store" permission type
      (not evaluated in original audit)
  Endpoint stability:   -7 points
    - skill references api.authprovider.example/v2
    - endpoint now redirects to v3 with different response schema

Re-verification urgency: HIGH
  Primary driver: 3 major dependency updates + 2 relevant CVEs
  since last audit. The JWT library alone has had breaking changes
  that could affect how this skill handles token validation.

Recommendation:
  - Priority re-audit focusing on JWT handling (CVE-affected)
  - Test against current dependency versions
  - Verify endpoint redirect doesn't break auth flow
  - Check if new "credential-store" permission is relevant

### Related Tools

evolution-drift-detector — tracks content-based drift across skill inheritance; trust-decay-monitor tracks time-based decay of verification validity
hollow-validation-checker — checks if validation tests are substantive; stale validations are even more problematic if the tests were hollow to begin with
blast-radius-estimator — when trust has decayed on a widely-adopted skill, blast-radius shows the downstream exposure
protocol-doc-auditor — audits protocol documents for hidden risks; trust-decay-monitor tracks whether those audits are still current

### Limitations

Trust freshness scoring uses heuristic decay models — the actual security impact of time passing depends on factors that can't be fully quantified (e.g., whether dependency updates are security-relevant or just feature additions). Dependency churn counts updates but cannot always determine if an update invalidates the original audit's conclusions. Ecosystem context tracking relies on public CVE databases and marketplace changelogs, which may lag behind actual threats. This tool helps prioritize which verifications need refreshing — it does not replace the actual re-verification process. A low trust score means the audit is stale, not that the skill is compromised.
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: andyxinweiminicloud
- Version: 1.0.0
## Source health
- Status: healthy
- Source download looks usable.
- Yavira can redirect you to the upstream package for this source.
- Health scope: source
- Reason: direct_download_ok
- Checked at: 2026-04-23T16:43:11.935Z
- Expires at: 2026-04-30T16:43:11.935Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/trust-decay-monitor)
- [Send to Agent page](https://openagent3.xyz/skills/trust-decay-monitor/agent)
- [JSON manifest](https://openagent3.xyz/skills/trust-decay-monitor/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/trust-decay-monitor/agent.md)
- [Download page](https://openagent3.xyz/downloads/trust-decay-monitor)