skill-trust-auditor_skill

This skill audits a ClawHub skill for security risks before installation, returning a trust score and actionable safety recommendations.
  • Python

2.5k

GitHub Stars

5

Bundled Files

2 months ago

Catalog Refreshed

3 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill skill-trust-auditor

  • _meta.json474 B
  • CHANGELOG.md541 B
  • README.md2.1 KB
  • skill.json420 B
  • SKILL.md3.0 KB

Overview

This skill audits any ClawHub skill for security risks before installation and produces a clear Trust Score (0–100) with actionable flags. I scan archived skill versions for known malicious patterns, produce a verdict (SAFE / CAUTION / RISKY / DO NOT INSTALL), and give concrete recommendations so you can decide safely.

How this skill works

The auditor analyzes a skill bundle or URL and matches code and scripts against a curated pattern database (including the ClawHavoc incident signatures). It scores risks by severity, lists flagged lines and files, and reports safe patterns and author verification status. You get a short human-readable summary and a JSON output that you can inspect or pipe into scripts for automated gating.

When to use it

  • Before running clawhub install for any third-party skill.
  • When someone asks “is this skill safe?” for enterprise or personal deployment.
  • During security reviews for a curated skill list or marketplace.
  • As a pre-deployment gate in CI for environments that accept new skills.

Best practices

  • Always run the audit before installing unverified skills, especially with low scores.
  • Treat HIGH risk flags (e.g., curl to unknown domains, env access, exec with user input) as blockers until reviewed.
  • Use the file locations returned to inspect specific lines before proceeding.
  • Combine audit output with manual review for MEDIUM and LOW findings.
  • Enable automatic pre-install audits in developer shells or CI for repeatable safety.

Example use cases

  • A developer evaluating a community skill sees a 72 score with a curl to an external host and inspects the script line before installing.
  • An operations team gates production installs: any skill under 70 requires a security owner review.
  • An enterprise auditor batches audits of archived skills to build an allowlist and identify historical malicious patterns.
  • A power user aliases an install command to run an audit first, preventing accidental execution of exfiltration scripts.
  • A security researcher compares scanned patterns against the ClawHavoc reference to update internal IDS rules.

FAQ

Yes — you can wrap or alias your install command to run the auditor first and block installs that fail policy thresholds.

Does it guarantee a skill is safe if the score is high?

No. A high score reduces risk but does not guarantee safety; always review flagged items and verify author provenance for critical deployments.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational