Tencent SkillHub · Security & Compliance

TrustMyAgent

🛡️ TrustMyAgent - Security posture monitoring for AI agents. Runs 41 stateless checks across 14 domains and calculates a trust score (0-100). Supports local...

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

🛡️ TrustMyAgent - Security posture monitoring for AI agents. Runs 41 stateless checks across 14 domains and calculates a trust score (0-100). Supports local...

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: run.py, README.md, SKILL.md, SECURITY.md, checks/openclaw_checks.json, checks/detection_kb.json

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 1.0.0

Provenance

Publisher: Anecdotes-Yair
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 20 sections Open source page

🛡️ TrustMyAgent - Security Agent

Stateless security posture monitoring for AI agents. TrustMyAgent runs 41 read-only security checks across 14 domains on the host machine, calculates a trust score (0-100), and optionally reports results to a public Trust Center dashboard. It is fully stateless — no files are written, no state is persisted, and no background processes are installed without explicit user consent. Open source: All check logic is visible in run.py and checks/*.json. The full source code is at github.com/Anecdotes-Yair/trust-my-agent-ai.

Setup

When the user asks to set up TrustMyAgent, walk them through the following steps. Present each step to the user and wait for their approval before executing. Do not run commands silently or skip user confirmation.

Step 1: Verify Python 3

Check that Python 3 is available: python3 --version If Python 3 is not installed, ask the user before installing it: macOS: brew install python3 Linux: sudo apt-get install python3 or sudo apk add python3

Step 2: Run a dry-run assessment

Run the security assessment in dry-run mode first so the user can review the results before any data leaves the machine: python3 {baseDir}/run.py --dry-run This runs all 41 checks and prints the full telemetry payload that would be sent — but sends nothing. Show the user the results and let them review: The trust score and tier Which checks passed and failed The exact JSON payload that would be transmitted Ask the user: "Would you like to send this report to the Trust Center dashboard, run in local-only mode (no network), or adjust any settings?"

Step 3: Run the full assessment (with user consent)

If the user approves sending telemetry: python3 {baseDir}/run.py If the user prefers local-only mode (no telemetry sent): python3 {baseDir}/run.py --local-only

Step 4: Schedule recurring assessments (optional)

Ask the user if they want to schedule automatic assessments. If they agree, suggest a cron job. The command varies by agent platform: OpenClaw agents: openclaw cron add --name "🛡️ TrustMyAgent" --cron "*/15 * * * *" --session agent:security:main --message "Run security assessment: python3 {baseDir}/run.py" Other agents / standalone: # Add to system crontab (runs every 15 minutes) (crontab -l 2>/dev/null; echo "*/15 * * * * python3 {baseDir}/run.py --quiet") | crontab - The user can choose any interval or skip scheduling entirely.

What Data Is Sent

When telemetry is enabled (the default), the following data is sent via HTTPS POST to https://www.trustmyagent.ai/api/telemetry: FieldExamplePurposeagent.idsha256(hostname)Unique identifier (derived from hostname hash, not the hostname itself)agent.name"My Agent"Display name (from IDENTITY.md or env var)agent.platform"darwin"OS type (darwin/linux)agent.detected_env"macos_arm64"Runtime environment labelposture.trust_tier"HIGH"Computed trust tierposture.overall_score92Numeric score 0-100results[]{check_id, passed, status}Per-check pass/fail statusdetections[]{check_id, severity, risk}Failed checks with risk context What is NOT sent: No file contents, paths, or directory listings No environment variable values (only whether secret-like patterns exist) No process names, PIDs, or command lines No network traffic, IP addresses, or hostnames No credentials, tokens, or API keys No conversation transcripts or user data The telemetry endpoint and all check logic are open source. You can verify exactly what is transmitted by using --dry-run mode.

Opting out of telemetry

Use --local-only to run all checks without any network calls: python3 {baseDir}/run.py --local-only This gives you the full security assessment locally without sending anything.

How It Works

run.py executes on the host — triggered manually, by cron, or by agent heartbeat 41 security checks run using bash commands and Python sensors (all read-only) Trust score is calculated (0-100) based on pass/fail results and severity weighting Results are displayed locally in the terminal (Optional) Telemetry is sent to the Trust Center dashboard via HTTPS No files are written locally. No state is persisted on the agent machine.

Security Domains

DomainChecksFocusPhysical EnvironmentPHY-001 to PHY-005Disk encryption, container isolation, non-root executionNetworkNET-001 to NET-005Dangerous ports, TLS/SSL, DNS, certificatesSecretsSEC-001 to SEC-005, MSG-005Env var secrets, cloud creds, private keys, conversation leaksCodeCOD-001 to COD-004Git security, no secrets in reposLogsLOG-001 to LOG-004System logging, audit readinessSkillsSKL-001 to SKL-005, MSG-001, MSG-003Skill manifests, MCP server trustIntegrityINT-001 to INT-005, MSG-002, MSG-006Backdoors, browser abuse, suspicious tool calls, URL reputationSocial GuardsSOC-001 to SOC-006, MSG-004Action logging, session transparency, Moltbook integrity, owner reputationIncident PreventionINC-001 to INC-005Process spawning, system load, port scanningNode SecurityNODE-001 to NODE-005Remote execution approval, token permissions, exec allowlistsMedia SecurityMEDIA-002 to MEDIA-003Temp directory permissions, file type validationGateway SecurityGATEWAY-001 to GATEWAY-002Binding address, authenticationIdentity SecurityIDENTITY-001 to IDENTITY-002DM pairing allowlist, group chat allowlistSubAgent SecuritySUBAGENT-001 to SUBAGENT-002Concurrency limits, target allowlists

Bash checks (20 checks)

Defined in checks/openclaw_checks.json. Each check runs a shell command and evaluates the output against a pass_condition (equals, contains, not_contains, exit_code_zero, etc.).

Python/Message-based checks (21 checks)

Defined in checks/message_checks.json and checks/nodes_media_checks.json. These are programmatic sensors that analyze secrets, session transcripts, MCP configs, skill manifests, and more.

Platform Support

Checks auto-detect macOS vs Linux and use platform-appropriate commands. Checks can declare "platforms": ["linux"] to be gracefully skipped on unsupported platforms.

Trust Tiers

TierScoreLabelHIGH90-100Ready for BusinessMEDIUM70-89Needs ReviewLOW50-69Elevated RiskUNTRUSTED0-49Critical Security Gaps Any critical-severity failure caps the score at 49 (UNTRUSTED). Three or more high-severity failures cap at 69 (LOW).

Command Line Options

FlagDescription--checks, -cPath to custom checks JSON file--timeout, -tTimeout per check in seconds (default: 30)--quiet, -qMinimal output--json, -jOutput structured JSON to stdout--dry-runRun all checks and display the telemetry payload, but do not send it--local-onlyRun all checks locally without any network calls--no-notifySkip agent notifications for detections

Configuration

SourceDescriptionDefaultIDENTITY.mdAgent display name (read from # Name section)"Agent"OPENCLAW_AGENT_NAME env varOverrides IDENTITY.md name—OPENCLAW_AGENT_ID env varAgent identifierSHA256 of hostnameTRUSTMYAGENT_TELEMETRY_URL env varServer endpointhttps://www.trustmyagent.ai/api/telemetry

Files

Agent/ ├── SKILL.md # This file ├── run.py # Main entry point (stateless runner) └── checks/ ├── openclaw_checks.json # 20 bash-based security checks ├── message_checks.json # 10 Python-based message/secret sensors ├── nodes_media_checks.json # 11 infrastructure checks └── detection_kb.json # Risk descriptions and remediation guidance

Architecture

┌─────────────────┐ ┌──────────────────┐ │ Agent Host │ POST /api/telemetry │ 🛡️ TrustMyAgent │ │ │ ────────────────────────────► │ Server │ │ run.py │ (only when telemetry enabled) │ (Cloudflare) │ │ ├─ bash checks │ │ ├─ R2 storage │ │ └─ python checks│ │ ├─ agents index │ │ │ │ └─ trend history│ │ (no local state)│ │ │ └─────────────────┘ └──────────────────┘ │ trust-center.html (public dashboard)

Privacy & Trust

Open source: All code is MIT-licensed and publicly auditable at github.com/Anecdotes-Yair/trust-my-agent-ai Stateless: No files written, no state persisted, no background processes installed without consent Opt-in telemetry: Use --local-only to run entirely offline, or --dry-run to preview before sending No secrets transmitted: Checks detect the presence of issues, never transmit actual secret values Transparent payload: The --dry-run flag shows the exact JSON that would be sent Server: Operated by Anecdotes AI, a GRC (Governance, Risk, Compliance) company. Server code is at github.com/Anecdotes-Yair/trust-my-agent-ai-website

Credits

Built by Anecdotes AI for the AI agent ecosystem.

Category context

Identity, auth, scanning, governance, audit, and operational guardrails.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

3 Docs2 Config1 Scripts

SKILL.md Primary doc
README.md Docs
SECURITY.md Docs
run.py Scripts
checks/detection_kb.json Config
checks/openclaw_checks.json Config