TrustSkills

Overview

TrustSkills is the compact first version of TrustSkills. It does not do deep technical verification yet. It answers one earlier and simpler question before install: "Can I trust where this skill came from?"

Use it to verify source provenance before installation by checking a short list of trusted distribution channels and clearly separating:

• official vendor-owned sources
• official discovery indexes
• unsupported or unverified third-party sources

Primary Usage

The natural invocation pattern for this skill is:

• /trustskills <skill-url>

Examples:

• /trustskills https://clawhub.ai/steipete/model-usage
• /trustskills https://github.com/likw99/agent-skills

When invoked this way, treat the URL after /trustskills as the source under review and answer directly.

The primary job is to decide:

• trust
• do not trust
• trust the directory, but not automatically the specific item

When To Use This Skill

Use this skill when the user asks questions like:

• "/trustskills https://clawhub.ai/steipete/model-usage"
• "/trustskills https://github.com/likw99/agent-skills"
• "Is this skill source official?"
• "What is the official GitHub repo for Codex or Claude skills?"
• "Can I trust this marketplace or directory?"
• "Is skills.sh official?"
• "Which GitHub repos count as official skill distribution channels?"

This skill is especially useful when the source is:

• a GitHub repository
• a marketplace or agent store
• a vendor docs page
• a directory site such as skills.sh

What This Skill Does

This skill:

• identifies the platform
• checks whether the source matches a compact trusted root list
• makes a trust decision under the current compact policy
• cites the strongest trusted distribution channel available
• explains the safest known install path
• warns when a directory is official but the listed repo is not automatically official

This skill does not:

• certify code safety
• perform malware analysis
• verify signatures or SBOMs
• prove that a popular listing is safe
• prove that installability means officiality
• explain what the skill does unless the user explicitly asks for that

Workflow

1. Parse the command input. If the user provides /trustskills <url>, treat <url> as the source under review.
2. Identify the platform and source type. The important distinction is vendor-owned repo vs official directory vs unknown third-party source.
3. Match it against the trusted sources section below.
4. Return one of these verdicts:
   • Trusted
   • Not trusted
   • Trust the index, but not automatically the linked item
5. Answer with:
   • the trust decision first
   • the supporting trusted root
   • the shortest reason
   • the remaining risk
6. Do not summarize the skill's purpose or functionality unless the user asks.

Trusted Sources

OpenAI

• https://github.com/openai/skills
• Trust rule: if the source is openai/skills, call it official.

Anthropic

• https://github.com/anthropics/skills
• https://github.com/anthropics/claude-code
• https://github.com/anthropics/knowledge-work-plugins
• https://github.com/anthropics/claude-plugins-official
• Trust rule: if the source is in the anthropics GitHub org and matches one of the roots above, call it official.

Google

• https://github.com/google-labs-code/stitch-skills
• https://github.com/googleworkspace/cli
• https://github.com/google-gemini/gemini-cli
• Trust rule: these are trusted Google-related GitHub roots, but they are not one single universal Google skills catalog.

Microsoft

• https://github.com/microsoft/azure-skills
• https://github.com/microsoft/github-copilot-for-azure
• https://github.com/github/awesome-copilot
• Trust rule: microsoft/azure-skills and microsoft/github-copilot-for-azure are Microsoft-owned roots. github/awesome-copilot is a GitHub-owned collection and is a stronger source than a random repo, but it still includes community-contributed content.

Vercel

• https://skills.sh
• https://github.com/vercel-labs/agent-skills
• Trust rule: skills.sh is an official discovery index, but it is not proof that every listed repo is official.
• Extra rule: install counts or popularity on skills.sh do not equal official status. Always check the linked GitHub owner.
• Stronger linked repo owners include vendor-owned orgs such as vercel-labs, openai, and anthropics.

OpenClaw / ClawHub

• https://clawhub.ai/u/steipete
• Creator profile pattern: https://clawhub.ai/u/<creator>
• Skill pattern: https://clawhub.ai/<creator>/<skill-name>
• Trust rule: this is a narrow trusted publisher exception, not a blanket trust rule for ClawHub.
• Extra rule: if you already trust OpenClaw as created by steipete, then trusting skills published by steipete on ClawHub does not downgrade that trust.
• Important caveat: do not extend this rule to all ClawHub publishers or all popular ClawHub listings.
• Decision rule: trust https://clawhub.ai/steipete/<skill-name> because it maps to the trusted steipete publisher profile above. For other ClawHub skill URLs, do not trust them under this compact version unless they match another explicit allowlist rule.

If A Platform Is Not Listed

If a platform is not listed in this compact version, do not guess. Say it is not currently in the trusted distribution-channel list.

Trust Rules

• Never call a source "official" unless you can point to a GitHub root or official index listed above.
• Installability does not mean officiality.
• Popularity does not mean officiality.
• A listed trusted root beats screenshots, mirrors, blog posts, and copied instructions.
• An official directory is not the same thing as an official item.

Output Format

When useful, structure the answer like this:

• Source under review: the URL, repo, store, or platform
• Trust decision: Trusted, Not trusted, or Trust the index, but not automatically the item
• Why: the strongest trusted distribution root
• Safest known install path: the trusted source or flow
• Remaining risk: what still needs human review

Keep the answer decision-oriented. Do not explain what the skill does unless the user asks.

Examples

Example requests that should trigger this skill:

• "/trustskills https://clawhub.ai/steipete/model-usage"
• "/trustskills https://github.com/likw99/agent-skills"
• "Is github.com/openai/skills the official place to get Codex skills?"
• "Is github.com/anthropics/skills the official place to get Claude skills?"
• "Can I trust a skill I found on skills.sh?"
• "Is github.com/google-gemini/gemini-cli a trusted Google distribution root?"
• "Should I trust github/awesome-copilot as official or community?"

Official Distribution Of This Skill

The compact hosted copy of this skill should be published at:

• https://trustskills.app/SKILL.md

This is useful for direct installation and brand discovery.