TrustMyAgent
ReviewAudited by ClawScan on May 10, 2026.
Overview
TrustMyAgent is a disclosed security-scanning skill with optional telemetry and optional recurring runs; review the local data it inspects and what it sends before enabling full or scheduled mode.
Before installing, run the dry-run command and review the exact telemetry payload. Use `--local-only` if you want the security report to stay on your machine, and only enable the optional cron schedule if you want recurring assessments.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can run local commands to inspect the machine, which is normal for this tool but should be limited to trusted bundled checks.
The skill intentionally executes local shell-based checks. This is expected for a host security assessment, but users should avoid running untrusted custom check files.
"Bash checks" (20) - Shell commands that inspect the host environment. Defined in `checks/openclaw_checks.json`.
Use the bundled checks or review any custom `--checks` JSON before running it.
The scan may look for signs of cloud credentials, tokens, or secrets on the local machine.
The skill inspects credential-related locations and environment data for security findings. The artifacts say values are not sent, but this is still sensitive local access.
"Check for AWS, GCP, and Azure credentials in environment and credential files"
Run `--dry-run` first and use `--local-only` if you do not want any scan result summaries transmitted.
Private conversation context may be inspected locally to determine whether credentials were leaked.
The skill reviews agent conversation/session context for leaked secrets. This is purpose-aligned for security monitoring, but conversation history can contain private information.
"Scan agent conversation history for leaked credentials, API keys, or tokens"
Review the dry-run payload and prefer local-only mode if conversation-derived security status should not be reported externally.
Summarized security posture information may be sent to TrustMyAgent's public Trust Center.
The skill discloses an external telemetry flow including agent identity, platform, trust score, results, and detections. It also provides dry-run and local-only modes.
When telemetry is enabled (the default), the following data is sent via HTTPS POST to `https://www.trustmyagent.ai/api/telemetry`
Inspect the `--dry-run` output before sending, and use `--local-only` if you do not want telemetry.
If enabled, the scan can run repeatedly, such as every 15 minutes, and may send recurring telemetry.
The skill can be made persistent through scheduled recurring assessments, but the artifact says this should only happen after user consent.
Ask the user if they want to schedule automatic assessments. If they agree, suggest a cron job.
Only enable the cron job if you want continuous monitoring, choose an interval you are comfortable with, and know how to remove the schedule later.