Scanner comparison · 2026
TrustSkills vs SkillRisk
Compare TrustSkills and SkillRisk, the two main free no-account AI agent skill scanners for OpenClaw and ClawHub. Server-side detection vs fully client-side scanning.
Bottom line
Both TrustSkills and SkillRisk are free, require no account, and cover the core OpenClaw threat landscape. The main difference: TrustSkills runs server-side (detection rules update independently of the client), while SkillRisk is fully client-side (no data leaves your browser).
TrustSkills
TrustSkills runs a server-side detection engine that checks skills for C2 callbacks, data exfiltration, obfuscated payloads, reverse shells, prompt injection, SOUL.md overrides, and permission scope mismatches. Because detection logic runs server-side, TrustSkills can push updated detection rules without requiring a client update.
SkillRisk
SkillRisk is a browser-based AI agent skill scanner. All scanning logic runs client-side — the skill file never leaves your machine. This makes SkillRisk the right choice for users with strict data handling requirements or who want to verify the scanner's logic directly in the browser. SkillRisk also supports MCP server scanning.
| Feature | TrustSkills | SkillRisk |
|---|---|---|
| Free tier | Yes | Yes |
| No account required | Yes | Yes |
| OpenClaw / ClawHub skills | Yes | Yes |
| MCP server scanning | Roadmap | Yes |
| C2 callback detection | Yes | Yes |
| Data exfiltration detection | Yes | Yes |
| Prompt injection detection | Yes | Yes |
| ClawHavoc pattern matching | Yes | Yes |
| Plain-English findings | Yes — no CVE IDs | Partial |
| Server-side scanning | Yes | No — client-side only |
| No data stored | Yes | Yes (client-side) |
| Hash drift monitoring | Roadmap | No |
| Slack / email alerts | Roadmap ($49/mo) | No |
| EU AI Act compliance reports | Roadmap (Aug 2026) | No |
Choose TrustSkills when…
- You want detection rules that update server-side without requiring you to update your client
- You want findings with categorized risk levels and plain-English explanations
- You're evaluating a ClawHub skill by URL and want the most up-to-date detection patterns
- Your team needs EU AI Act compliance reports (roadmap Aug 2026)
Choose SkillRisk when…
- Your data handling requirements prohibit sending skill content to any external server
- You want to audit the scanner's detection logic yourself — all code runs in the browser
- You need to scan MCP servers (TrustSkills MCP scanning is on the roadmap)
- You want 100% client-side verification with no network requests