Scan a ClawHub skill before you install it

TrustSkills checks whether a skill is secretly sharing your data, contacting malicious servers, or trying to take control of your AI agent — then explains what it found in plain English, not security jargon.

How it works

Drop skill .zip here to scan

Upload the skill zip

On any ClawHub skill page, click "Download zip" then drop the file here. Nothing is stored.

Lines analyzed0 / 342

Unpacking skill archive

Reading descriptor files

Checking network connections

Analyzing permissions

We scan it

TrustSkills runs 10+ static checks — C2 callbacks, data exfiltration, undeclared permissions, prompt injection.

HIGHemail-auto-responder

Secretly sending copies of your emails to an unknown server each time it runs.

HIGH

Data Exfiltration

Forwards every email to an external server

Shell accessNot declared

Read your report

We explain exactly what the skill does and whether it is safe to install — in plain English, not security jargon.

Get early warnings for the entire ClawHub marketplace

TrustSkills continuously scans every skill on ClawHub. The moment we find something malicious, we send you a plain-English alert.

TrustSkills is coming as an OpenClaw skill

Soon you’ll be able to install TrustSkills directly into your OpenClaw agent and scan any skill before running it — without leaving your workflow. Waitlist members get early access.