TrustMyAgent
v1.0.0π‘οΈ TrustMyAgent - Security posture monitoring for AI agents. Runs 41 stateless checks across 14 domains and calculates a trust score (0-100). Supports local...
β 0Β· 273Β·1 currentΒ·1 all-time
MIT-0
Download zip
LicenseMIT-0 Β· Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (security posture monitoring, 41 checks) aligns with the code and bundled checks which inspect system state (network, secrets, files, OpenClaw-specific configs) and optionally send aggregated telemetry. One minor inconsistency: the install spec uses two entries for providing python3 (a Homebrew entry for macOS and a 'node' kind labeled python3-apt for Linux) β the linux install kind is unusual but likely intended to mean 'use system package' rather than a NodeJS package.
Instruction Scope
SKILL.md instructs explicit dry-run, local-only, and consent-before-send flows and the code implements many read-only checks. The skill reads sensitive local artifacts (shell histories, ~/.ssh, ~/.netrc, checks for /proc and /var/run/kubernetes tokens, IDENTITY.md and OpenClaw config paths, session transcripts/MCP config if present) β this is expected for a posture scanner but is high-privilege read access. SKILL.md states no file contents are sent and only boolean or derived info is transmitted; the code appears to perform env and file scanning locally and only transmit aggregated fields (score, check ids, booleans, detection metadata) when telemetry is enabled.
Install Mechanism
No remote downloads or package installs beyond standard system Python are required. run.py uses only stdlib and the checks are bundled. The Homebrew formula for python3 on macOS is reasonable; the Linux path is declared oddly but appears to rely on system python3 (no third-party pip/npm installs). No extract-from-URL or arbitrary binaries are fetched.
Credentials
The skill requires the 'openssl' binary for TLS checks (reasonable). It requests no credentials or env vars to be provided, but the runtime reads environment variables and many local files (histories, SSH files, ~/.openclaw, IDENTITY.md, /proc, possible MCP/session transcripts) to detect issues. That read access is proportionate to a posture scanner but you should expect it to see many sensitive items locally; the project claims it will not transmit raw secrets, only indicators and aggregated results.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. SKILL.md suggests optionally scheduling recurring runs (cron) if the user consents; the skill itself does not set always:true nor automatically persist credentials or force persistent presence. It also documents local-only/dry-run modes and requests explicit consent before sending telemetry.
Assessment
This skill appears to be what it claims: a local, stateless posture scanner that reads a lot of host state and can optionally send an aggregated telemetry report. Before installing, consider: 1) Run the tool in --dry-run and --local-only modes first to inspect the JSON payload it would send; 2) Review which local files it reads (shell histories, ~/.ssh, ~/.netrc, OpenClaw config paths, session transcripts) and confirm you're comfortable with those reads; 3) If you enable telemetry, verify the Trust Center endpoint and ensure you accept sending derived indicators (not raw secrets) and an agent identifier derived from your hostname; 4) The Linux install entry in the manifest is unusual β prefer to manually ensure python3 is available rather than allowing any automatic install step you don't understand; 5) If you do schedule recurring runs, pick an interval you want (the default suggestion is every 15 minutes). If you want more assurance, inspect run.py and the checks JSON locally (they are bundled) or run in isolated environment/container first.Like a lobster shell, security has layers β review code before you run it.
latestvk971cn102762pq8z584rs0pgm981w5tj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
π‘οΈ Clawdis
Binsopenssl
Install
Python 3 (Homebrew)
Bins: python3
brew install python3Python 3 (system)
Bins: python3