Credence
PassAudited by ClawScan on May 1, 2026.
Overview
Credence is a coherent instruction-only registry lookup helper with no code or credentials, but its install advice depends on a mutable third-party registry and should be checked carefully.
This skill appears safe to install as an instruction-only helper. Before following its install recommendations, verify that the registry entry exactly matches the tool you intend to install and remember that a high Credence score is not a complete security review.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the registry is changed incorrectly or compromised, the agent could report misleading trust scores or recommendations.
The skill's recommendations depend on a public registry fetched from a mutable GitHub branch. This is disclosed and central to the skill's purpose, but registry integrity and provenance controls are not described.
curl -s "https://raw.githubusercontent.com/pestafford/credence-registry/main/registry/index.json"
Use the registry result as one input, and verify the registry page, attestation details, and source identity before relying on it for important installs.
A lookalike or similarly named tool could be mistaken for a reviewed tool if the match is not manually verified.
In a security approval workflow, fuzzy matching can associate a requested tool with the wrong registry entry. The behavior is disclosed and purpose-aligned, but it can make the resulting recommendation sound more certain than the match supports.
The match does not need to be exact — partial matches on the repo URL or server name are fine.
Confirm the exact repository URL, server ID, or canonical name before treating an APPROVED score as applicable, especially before installing or connecting an MCP server.