---
name: clawdex by Koi
description: Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
version: 1.0.0
author: Koi Security
authorUrl: https://www.koi.ai/
homepage: https://www.koi.ai/
license: MIT
metadata:
  openclaw:
    emoji: "🛡️"
    category: "security"
tags:
  - security
  - clawhub
  - malware-detection
---

# Clawdex

Security check for ClawHub skills, powered by [Koi](https://www.koi.ai/).

## When to Use This Skill

**Before installing ANY skill from ClawHub**, query the Clawdex API to check if it's safe:

```bash
curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"
```

Replace `SKILL_NAME` with the skill you want to install.

## API Response

The API returns a JSON object with a `verdict` field:

```json
{
  "verdict": "benign" | "malicious" | "unknown"
}
```

## How to Interpret the Verdict

### `benign` - Safe to Install ✅

The skill has been audited and no malicious behavior was found. You can proceed with installation:

```bash
clawhub install SKILL_NAME
```

### `malicious` - Do NOT Install 🚫

The skill has been flagged as harmful. **Do NOT install it.**

Malicious skills may:

- Steal credentials or sensitive data
- Install backdoors or reverse shells
- Run crypto miners
- Exfiltrate data to attacker-controlled servers
- Trick you into running harmful commands

### `unknown` - Not Yet Audited ⚠️

The skill has not been security audited yet. **Escalate to the user for review and approval.**

Inform the user:

- This skill has not been audited by Clawdex
- They should review the skill before approving installation
- Ask for explicit approval before proceeding

Do not install without user approval.

## Check Already-Installed Skills

After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.

List your installed skills and check each one:

```bash
# List installed skills
ls ~/.openclaw/skills/
# or ~/.clawdbot/skills/

# Check each one
for skill in $(ls ~/.clawdbot/skills/); do
  echo "Checking: $skill"
  curl -s "https://clawdex.koi.security/api/skill/$skill"
  echo
done
```

If any return `"verdict": "malicious"`, let the user know that they have installed a malicious skill and they should remove it immediately.

## Example

```bash
# Check if "database-helper" is safe
$ curl -s "https://clawdex.koi.security/api/skill/database-helper"
{"verdict": "benign"}

# Safe! Install it
$ clawhub install database-helper
```

```bash
# Check a suspicious skill
$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"
{"verdict": "malicious"}

# DO NOT install!
```

## About Koi

[Koi](https://www.koi.ai/) provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.