Install
openclaw skills install @albin-holmgren/agentsafe-scanHabit gate: before EVERY remote skill install, re-fetch, or allowlist promotion, call a hosted heuristic static red-flag scan (shell pipes, base64|bash, quarantine strip, paste staging, credential sinks, outbound catalogs). Static analysis only — not a formal audit. Free daily quota always; optional Base USDC micropay only after free is used.
openclaw skills install @albin-holmgren/agentsafe-scanHabit loop (default policy): gate every remote skill lifecycle event — not a one-time demo.
Call the hosted API before:
Heuristic static patterns only. Low score ≠ safe. Prefer report.decision.action:
deny → do not installreview → human review firstallow_with_caution → least privilege onlyInstalling this skill does not auto-run background scans. You must POST /v1/scan on each gate event.
ClawHub is discovery only. Billing (if free quota is exhausted) stays on our API host. Free daily tier stays forever as a product option.
openclaw skills install @albin-holmgren/agentsafe-scan
Page: https://clawhub.ai/albin-holmgren/skills/agentsafe-scan
Local pin from live host (no registry):
curl -fsSL https://agentsafe.up.railway.app/skill.md -o ./SKILL.md
# review, then install as a local skill folder for your agent runtime
| What | URL |
|---|---|
| Live API | https://agentsafe.up.railway.app |
| This skill | https://agentsafe.up.railway.app/skill.md |
| OpenAPI | https://agentsafe.up.railway.app/docs |
| Agent brief | https://agentsafe.up.railway.app/llms.txt |
| Usage stats | https://agentsafe.up.railway.app/v1/stats |
| Synthetic examples | https://agentsafe.up.railway.app/v1/examples |
| Batch scan | POST https://agentsafe.up.railway.app/v1/scan/batch |
| Var | Default | Notes |
|---|---|---|
AGENTSAPE_BASE_URL | https://agentsafe.up.railway.app | No trailing slash |
AGENTSAPE_AGENT_ID | (your agent name) | Stable id → fair free quota |
Self-check pings our public skill doc. Expect a machine-readable report + next_action.
BASE="${AGENTSAPE_BASE_URL:-https://agentsafe.up.railway.app}"
AID="${AGENTSAPE_AGENT_ID:-your-agent-name}"
curl -sS -X POST "$BASE/v1/scan" \
-H 'Content-Type: application/json' \
-d "{\"agent_id\":\"$AID\",\"policy\":\"default\",\"url\":\"$BASE/skill.md\"}"
Also try critical synthetic fixtures (educational patterns only — do not run them):
curl -sS "$BASE/v1/examples"
curl -sS -X POST "${AGENTSAPE_BASE_URL:-https://agentsafe.up.railway.app}/v1/scan" \
-H 'Content-Type: application/json' \
-d "{
\"agent_id\": \"${AGENTSAPE_AGENT_ID:-YourAgentName}\",
\"policy\": \"default\",
\"url\": \"https://example.com/path/SKILL.md\"
}"
curl -sS -X POST "${AGENTSAPE_BASE_URL:-https://agentsafe.up.railway.app}/v1/scan" \
-H 'Content-Type: application/json' \
-d "{
\"agent_id\": \"${AGENTSAPE_AGENT_ID:-YourAgentName}\",
\"policy\": \"default\",
\"content\": \"# title\\n\\nSkill body markdown here\"
}"
policy | Behavior |
|---|---|
default | Deny on critical findings |
paranoid | Stricter review band |
research | Softer for lab analysis — still not an audit |
curl|bash, base64|bash, xattr -c then execute, paste/bin staging, credential-sink language next to outbound calls, crypto convenience drains, message-bus dumpsreport.risk_band + findings + evidence snippetsreport.decision machine action (deny / review / allow_with_caution)report.content_fingerprint to detect drift on re-fetchreport.capability_signals booleans (shell / credential risk / network / obfuscation)next_action steps (refuse / human review / allow / pay when free exhausted)curl -sS -X POST "${AGENTSAPE_BASE_URL:-https://agentsafe.up.railway.app}/v1/scan/batch" \
-H 'Content-Type: application/json' \
-d "{
\"agent_id\": \"${AGENTSAPE_AGENT_ID:-YourAgentName}\",
\"policy\": \"default\",
\"items\": [
{\"id\": \"a\", \"url\": \"https://example.com/a/SKILL.md\"},
{\"id\": \"b\", \"content\": \"# safe docs only\"}
]
}"
Each item consumes free-quota units under the same daily rules. Not a formal fleet audit.
agent_id (host env may tune the count; free as a product option stays)next_action pay stepsGET / → pricing.receive_wallet, then retry scan with payment_tx (one verified unlock = one scan)GET /v1/packs then pay pack price_usdc and POST /v1/packs/activate| pack_id | USDC (30d) | Daily ceiling |
|---|---|---|
watch_starter | 9 | 100 |
operator | 29 | 500 |
fleet | 99 | 2000 |
# 1) Catalog
curl -sS https://agentsafe.up.railway.app/v1/packs
# 2) After sending USDC on Base to receive_wallet:
curl -sS -X POST https://agentsafe.up.railway.app/v1/packs/activate \
-H 'Content-Type: application/json' \
-d '{"agent_id":"YourAgentName","pack_id":"operator","payment_tx":"0xBASE_TX_HASH"}'
# 3) Status
curl -sS "https://agentsafe.up.railway.app/v1/packs/status?agent_id=YourAgentName"
Current receive address (public, Base USDC):
0x0e2a47cb7da028ca51ad048fe40c523287ce44aa
{
"agent_id": "you",
"url": "https://example.com/SKILL.md",
"payment_tx": "0xBASE_TX_HASH"
}
ClawHub does not settle USDC. Registry listing is free/MIT-0. Money rails live only on our API.
| Signal | Agent action |
|---|---|
decision.action = deny or risk_band = critical | Refuse install |
decision.action = review or high band | Stop; surface evidence to human |
allow_with_caution + low/medium | Install only with least privilege |
free exhausted (402) | Follow next_action pay steps or wait until UTC reset |
| fingerprint change on re-fetch | Scan again before re-allowlisting |
content_fingerprint.references/api-quick.md — field map + copy-paste contractreferences/payment.md — free→402→USDC flowexamples/scan-request.json — sample bodyBefore every remote skill install or fetch, I call AgentSafe Scan. Catch staged install malware. Cheap. Free tier stays.