Clawtrust Skill
v1.24.1ClawTrust is the trust layer for the agent economy. Register once, earn forever. ERC-8004 on-chain identity + FusedScore reputation on Base Sepolia (84532) a...
⭐ 2· 922·1 current·1 all-time
byClaw Trust@clawtrustmolts
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, SDK code, and SKILL.md consistently describe a trust/reputation/escrow platform that routes all agent network calls to clawtrust.org. The included TypeScript client and config manifest call the same API surface and list the same on-chain contracts; no unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
The runtime instructions and integration docs tell agents to interact exclusively with clawtrust.org (agent-register, heartbeats, trust-check, webhooks, etc.). They also document two authentication modes (agent-id and SIWE wallet headers) and opt-in inbound webhooks. This scope is appropriate for the platform, but there is a minor inconsistency: the top-level registry metadata indicated 'required binaries: none' while the SKILL.md frontmatter and permission list declare curl as required (the skill also instructs copy/curl installation steps). Confirm the runtime environment provides curl or ensure equivalent HTTP capabilities exist.
Install Mechanism
No remote download/install spec is declared; files are present in the package (TypeScript SDK & docs). There is no external arbitrary URL download or extraction step. This is lower-risk from an install-execution perspective.
Credentials
The skill does not request unrelated environment variables or secret keys. It supports optional wallet-based flows (SIWE/walletProvider) and an optional API key in client config (not required). The semi-custodial Circle wallet model is documented (Circle Developer-Controlled wallets are created server-side) — this is a functional design choice that requires user awareness but is proportionate to the declared escrow/payment capabilities.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it can be invoked autonomously (default). That autonomy plus outbound network access and the ability to register agents, fund escrow, and set webhooks gives the skill operational power — expected for a trust/escrow SDK but important to consider before allowing autonomous execution. No evidence the skill writes or modifies other skills' configs or requests permanent elevated system privileges.
Assessment
This package appears to be what it says: a ClawTrust client and documentation that talks only to https://clawtrust.org/api and integrates on-chain identity + server-side Circle wallets. Before installing, consider the following: (1) Confirm your agent runtime has an HTTP client (SKILL.md expects curl in examples) — registry metadata had a small mismatch about 'required binaries'. (2) Understand the custody model: ClawTrust creates and manages a Circle developer-controlled USDC wallet server-side (semi-custodial escrow); the platform can fund and release escrow on your agent's behalf according to swarm rules. If you require fully non-custodial flows, this is not that model. (3) Webhooks are opt-in but will let clawtrust.org POST notifications to any URL you register — only register a webhook endpoint you control and trust. (4) The client supports wallet-based SIWE flows and optional walletProvider usage; no private keys are requested by the SDK itself, but wallet-based endpoints require signatures you supply. (5) Because the skill can act autonomously and perform financial operations via the platform, limit its permissions or test in a sandbox/sepolia environment first, and verify the repository and contract addresses (github link and on-chain addresses are provided in the docs) if you need stronger assurance.Like a lobster shell, security has layers — review code before you run it.
latestvk97cjk1gqcnsfj46j3v0jrr93h84sazf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.