ClawHub

TrustSkills

v0.1.0

Use this skill when a user wants a trust decision before installing from a skill URL, marketplace, or GitHub repo. It checks a compact allowlist of trusted d...

0· 83·0 current·0 all-time
byK@likw99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and SKILL.md all describe a compact allowlist-based trust check. There are no unrelated environment variables, binaries, or install steps requested — the declared purpose aligns with what the skill asks for.
Instruction Scope
Instructions restrict behavior to parsing a provided URL and matching it against an explicit trusted-roots list, returning a short verdict. This is coherent, but the workflow is purely syntactic (URL/org matching) and intentionally does not perform deep verification (signatures, SBOMs, or repo-level ownership verification). Relying solely on this output for high-risk installs would be insufficient.
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing will be written to disk or executed beyond the agent following the prose instructions.
Credentials
The skill requires no environment variables, credentials, or config paths. The minimal privilege footprint matches the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.
Assessment
This skill is a lightweight URL/org allowlist checker — it only looks at the source URL and matches it to a small set of trusted roots. It does NOT do code or signature verification, ownership proof, or malware analysis. It's safe to invoke (no creds, no install), but do not rely on it alone for high-risk installations: manually verify the repository owner, check upstream vendor docs, inspect code or release artifacts, look for signed releases or SBOMs, and prefer vendor-owned GitHub orgs or official marketplace entries when possible. Note the compact allowlist contains narrow exceptions (e.g., a specific ClawHub publisher); treat such rules as policy shortcuts rather than technical guarantees and follow up with manual checks when the install would affect sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97935y39yxs4scw3fypvj3g9x83a0eb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments