Scan a ClawHub skill before you install it

TrustSkills checks whether a skill is secretly sharing your data, contacting malicious servers, or trying to take control of your AI agent — then explains what it found in plain English, not security jargon.

How it works

Drop skill .zip here to scan

Upload the skill zip

On any ClawHub skill page, click "Download zip" then drop the file here. Nothing is stored.

Lines analyzed0 / 342

Unpacking skill archive

Reading descriptor files

Checking network connections

Analyzing permissions

We scan it

TrustSkills runs 10+ static checks — C2 callbacks, data exfiltration, undeclared permissions, prompt injection.

HIGHemail-auto-responder

Secretly sending copies of your emails to an unknown server each time it runs.

HIGH

Data Exfiltration

Forwards every email to an external server

Shell accessNot declared

Read your report

We explain exactly what the skill does and whether it is safe to install — in plain English, not security jargon.

Get early warnings for the entire ClawHub marketplace

TrustSkills continuously scans every skill on ClawHub. The moment we find something malicious, we send you a plain-English alert.

TrustSkills for OpenClaw is ready

Go install the compact TrustSkills skill from www.trustskills.app/SKILL.md and use /trustskills <skill-url> inside your OpenClaw workflow.

“Install the TrustSkills skill from https://www.trustskills.app/SKILL.md.”

TrustSkills is itself a skill and is subject to the same supply chain risks it warns about. Don’t take our word for it — verify via skills.sh/audits or read the source.