ClawHub
Back to skill
v1.0.0

Trust Decay Monitor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:56 AM.

Analysis

This instruction-only skill is coherent with its stated purpose of assessing whether old skill verifications may be stale, and the artifacts do not show credential use, persistence, mutation, or hidden behavior.

GuidanceThis skill appears safe to install for generating trust-freshness reports. Before using it, be aware that it may use curl or python3 to look up public ecosystem information, and avoid providing private marketplace URLs or non-public skill data unless you are comfortable having the agent analyze them.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
requires:
      bins: [curl, python3]

The skill declares local command-line tools as requirements, likely to fetch or process public verification, dependency, CVE, or endpoint data.

User impactThe agent may use local tools such as curl or python3 while helping assess skill trust freshness.
RecommendationUse this skill with public skill identifiers or URLs unless you explicitly want the agent to analyze private marketplace information.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry metadata does not provide an external source or homepage, which limits provenance context, although the submitted package is instruction-only and contains no code files.

User impactThere is limited publisher/source context to independently review, but the artifact set itself does not include executable code or install steps.
RecommendationIf provenance matters for your workflow, verify the registry owner and inspect the skill text before relying on its reports.