# Send TrustMyAgent to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "trust-my-agent-ai",
    "name": "TrustMyAgent",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/Anecdotes-Yair/trust-my-agent-ai",
    "canonicalUrl": "https://clawhub.ai/Anecdotes-Yair/trust-my-agent-ai",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/trust-my-agent-ai",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=trust-my-agent-ai",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "run.py",
      "README.md",
      "SKILL.md",
      "SECURITY.md",
      "checks/openclaw_checks.json",
      "checks/detection_kb.json"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-23T16:43:11.935Z",
      "expiresAt": "2026-04-30T16:43:11.935Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
        "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null
      },
      "scope": "source",
      "summary": "Source download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this source.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/trust-my-agent-ai"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/trust-my-agent-ai",
    "downloadUrl": "https://openagent3.xyz/downloads/trust-my-agent-ai",
    "agentUrl": "https://openagent3.xyz/skills/trust-my-agent-ai/agent",
    "manifestUrl": "https://openagent3.xyz/skills/trust-my-agent-ai/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/trust-my-agent-ai/agent.md"
  }
}
```
## Documentation

### 🛡️ TrustMyAgent - Security Agent

Stateless security posture monitoring for AI agents.

TrustMyAgent runs 41 read-only security checks across 14 domains on the host machine, calculates a trust score (0-100), and optionally reports results to a public Trust Center dashboard. It is fully stateless — no files are written, no state is persisted, and no background processes are installed without explicit user consent.

Open source: All check logic is visible in run.py and checks/*.json. The full source code is at github.com/Anecdotes-Yair/trust-my-agent-ai.

### Setup

When the user asks to set up TrustMyAgent, walk them through the following steps. Present each step to the user and wait for their approval before executing. Do not run commands silently or skip user confirmation.

### Step 1: Verify Python 3

Check that Python 3 is available:

python3 --version

If Python 3 is not installed, ask the user before installing it:

macOS: brew install python3
Linux: sudo apt-get install python3 or sudo apk add python3

### Step 2: Run a dry-run assessment

Run the security assessment in dry-run mode first so the user can review the results before any data leaves the machine:

python3 {baseDir}/run.py --dry-run

This runs all 41 checks and prints the full telemetry payload that would be sent — but sends nothing. Show the user the results and let them review:

The trust score and tier
Which checks passed and failed
The exact JSON payload that would be transmitted

Ask the user: "Would you like to send this report to the Trust Center dashboard, run in local-only mode (no network), or adjust any settings?"

### Step 3: Run the full assessment (with user consent)

If the user approves sending telemetry:

python3 {baseDir}/run.py

If the user prefers local-only mode (no telemetry sent):

python3 {baseDir}/run.py --local-only

### Step 4: Schedule recurring assessments (optional)

Ask the user if they want to schedule automatic assessments. If they agree, suggest a cron job. The command varies by agent platform:

OpenClaw agents:

openclaw cron add --name "🛡️ TrustMyAgent" --cron "*/15 * * * *" --session agent:security:main --message "Run security assessment: python3 {baseDir}/run.py"

Other agents / standalone:

# Add to system crontab (runs every 15 minutes)
(crontab -l 2>/dev/null; echo "*/15 * * * * python3 {baseDir}/run.py --quiet") | crontab -

The user can choose any interval or skip scheduling entirely.

### What Data Is Sent

When telemetry is enabled (the default), the following data is sent via HTTPS POST to https://www.trustmyagent.ai/api/telemetry:

FieldExamplePurposeagent.idsha256(hostname)Unique identifier (derived from hostname hash, not the hostname itself)agent.name"My Agent"Display name (from IDENTITY.md or env var)agent.platform"darwin"OS type (darwin/linux)agent.detected_env"macos_arm64"Runtime environment labelposture.trust_tier"HIGH"Computed trust tierposture.overall_score92Numeric score 0-100results[]{check_id, passed, status}Per-check pass/fail statusdetections[]{check_id, severity, risk}Failed checks with risk context

What is NOT sent:

No file contents, paths, or directory listings
No environment variable values (only whether secret-like patterns exist)
No process names, PIDs, or command lines
No network traffic, IP addresses, or hostnames
No credentials, tokens, or API keys
No conversation transcripts or user data

The telemetry endpoint and all check logic are open source. You can verify exactly what is transmitted by using --dry-run mode.

### Opting out of telemetry

Use --local-only to run all checks without any network calls:

python3 {baseDir}/run.py --local-only

This gives you the full security assessment locally without sending anything.

### How It Works

run.py executes on the host — triggered manually, by cron, or by agent heartbeat
41 security checks run using bash commands and Python sensors (all read-only)
Trust score is calculated (0-100) based on pass/fail results and severity weighting
Results are displayed locally in the terminal
(Optional) Telemetry is sent to the Trust Center dashboard via HTTPS

No files are written locally. No state is persisted on the agent machine.

### Security Domains

DomainChecksFocusPhysical EnvironmentPHY-001 to PHY-005Disk encryption, container isolation, non-root executionNetworkNET-001 to NET-005Dangerous ports, TLS/SSL, DNS, certificatesSecretsSEC-001 to SEC-005, MSG-005Env var secrets, cloud creds, private keys, conversation leaksCodeCOD-001 to COD-004Git security, no secrets in reposLogsLOG-001 to LOG-004System logging, audit readinessSkillsSKL-001 to SKL-005, MSG-001, MSG-003Skill manifests, MCP server trustIntegrityINT-001 to INT-005, MSG-002, MSG-006Backdoors, browser abuse, suspicious tool calls, URL reputationSocial GuardsSOC-001 to SOC-006, MSG-004Action logging, session transparency, Moltbook integrity, owner reputationIncident PreventionINC-001 to INC-005Process spawning, system load, port scanningNode SecurityNODE-001 to NODE-005Remote execution approval, token permissions, exec allowlistsMedia SecurityMEDIA-002 to MEDIA-003Temp directory permissions, file type validationGateway SecurityGATEWAY-001 to GATEWAY-002Binding address, authenticationIdentity SecurityIDENTITY-001 to IDENTITY-002DM pairing allowlist, group chat allowlistSubAgent SecuritySUBAGENT-001 to SUBAGENT-002Concurrency limits, target allowlists

### Bash checks (20 checks)

Defined in checks/openclaw_checks.json. Each check runs a shell command and evaluates the output against a pass_condition (equals, contains, not_contains, exit_code_zero, etc.).

### Python/Message-based checks (21 checks)

Defined in checks/message_checks.json and checks/nodes_media_checks.json. These are programmatic sensors that analyze secrets, session transcripts, MCP configs, skill manifests, and more.

### Platform Support

Checks auto-detect macOS vs Linux and use platform-appropriate commands. Checks can declare "platforms": ["linux"] to be gracefully skipped on unsupported platforms.

### Trust Tiers

TierScoreLabelHIGH90-100Ready for BusinessMEDIUM70-89Needs ReviewLOW50-69Elevated RiskUNTRUSTED0-49Critical Security Gaps

Any critical-severity failure caps the score at 49 (UNTRUSTED). Three or more high-severity failures cap at 69 (LOW).

### Command Line Options

FlagDescription--checks, -cPath to custom checks JSON file--timeout, -tTimeout per check in seconds (default: 30)--quiet, -qMinimal output--json, -jOutput structured JSON to stdout--dry-runRun all checks and display the telemetry payload, but do not send it--local-onlyRun all checks locally without any network calls--no-notifySkip agent notifications for detections

### Configuration

SourceDescriptionDefaultIDENTITY.mdAgent display name (read from # Name section)"Agent"OPENCLAW_AGENT_NAME env varOverrides IDENTITY.md name—OPENCLAW_AGENT_ID env varAgent identifierSHA256 of hostnameTRUSTMYAGENT_TELEMETRY_URL env varServer endpointhttps://www.trustmyagent.ai/api/telemetry

### Files

Agent/
├── SKILL.md                        # This file
├── run.py                          # Main entry point (stateless runner)
└── checks/
    ├── openclaw_checks.json        # 20 bash-based security checks
    ├── message_checks.json         # 10 Python-based message/secret sensors
    ├── nodes_media_checks.json     # 11 infrastructure checks
    └── detection_kb.json           # Risk descriptions and remediation guidance

### Architecture

┌─────────────────┐                                 ┌──────────────────┐
│   Agent Host     │      POST /api/telemetry        │ 🛡️ TrustMyAgent  │
│                  │  ────────────────────────────►   │  Server           │
│  run.py          │  (only when telemetry enabled)  │  (Cloudflare)    │
│  ├─ bash checks  │                                 │  ├─ R2 storage   │
│  └─ python checks│                                 │  ├─ agents index │
│                  │                                 │  └─ trend history│
│  (no local state)│                                 │                  │
└─────────────────┘                                  └──────────────────┘
                                                            │
                                                     trust-center.html
                                                     (public dashboard)

### Privacy & Trust

Open source: All code is MIT-licensed and publicly auditable at github.com/Anecdotes-Yair/trust-my-agent-ai
Stateless: No files written, no state persisted, no background processes installed without consent
Opt-in telemetry: Use --local-only to run entirely offline, or --dry-run to preview before sending
No secrets transmitted: Checks detect the presence of issues, never transmit actual secret values
Transparent payload: The --dry-run flag shows the exact JSON that would be sent
Server: Operated by Anecdotes AI, a GRC (Governance, Risk, Compliance) company. Server code is at github.com/Anecdotes-Yair/trust-my-agent-ai-website

### Credits

Built by Anecdotes AI for the AI agent ecosystem.
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: Anecdotes-Yair
- Version: 1.0.0
## Source health
- Status: healthy
- Source download looks usable.
- Yavira can redirect you to the upstream package for this source.
- Health scope: source
- Reason: direct_download_ok
- Checked at: 2026-04-23T16:43:11.935Z
- Expires at: 2026-04-30T16:43:11.935Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/trust-my-agent-ai)
- [Send to Agent page](https://openagent3.xyz/skills/trust-my-agent-ai/agent)
- [JSON manifest](https://openagent3.xyz/skills/trust-my-agent-ai/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/trust-my-agent-ai/agent.md)
- [Download page](https://openagent3.xyz/downloads/trust-my-agent-ai)