Security check for ClawHub skills, powered by Koi.
Before installing ANY skill from ClawHub, query the Clawdex API to check if it's safe:
curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"
Replace SKILL_NAME with the skill you want to install.
The API returns a JSON object with a verdict field:
{
"verdict": "benign" | "malicious" | "unknown"
}
benign - Safe to Install ✅The skill has been audited and no malicious behavior was found. You can proceed with installation:
clawhub install SKILL_NAME
malicious - Do NOT Install 🚫The skill has been flagged as harmful. Do NOT install it.
Malicious skills may:
unknown - Not Yet Audited ⚠️The skill has not been security audited yet. Escalate to the user for review and approval.
Inform the user:
Do not install without user approval.
After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.
List your installed skills and check each one:
# List installed skills
ls ~/.openclaw/skills/
# or ~/.clawdbot/skills/
# Check each one
for skill in $(ls ~/.clawdbot/skills/); do
echo "Checking: $skill"
curl -s "https://clawdex.koi.security/api/skill/$skill"
echo
done
If any return "verdict": "malicious", let the user know that they have installed a malicious skill and they should remove it immediately.
# Check if "database-helper" is safe
$ curl -s "https://clawdex.koi.security/api/skill/database-helper"
{"verdict": "benign"}
# Safe! Install it
$ clawhub install database-helper
# Check a suspicious skill
$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"
{"verdict": "malicious"}
# DO NOT install!
Koi provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.
共 1 个版本