Anthony/openclaw-backups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
openclaw-backups/skills/clawdex/SKILL.md

120 lines
2.8 KiB
Markdown
Raw Permalink Blame History

---
name: clawdex by Koi
description: Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
version: 1.0.0
author: Koi Security
authorUrl: https://www.koi.ai/
homepage: https://www.koi.ai/
license: MIT
metadata:
openclaw:
emoji: "🛡️"
category: "security"
tags:
- security
- clawhub
- malware-detection
---
# Clawdex
Security check for ClawHub skills, powered by [Koi](https://www.koi.ai/).
## When to Use This Skill
**Before installing ANY skill from ClawHub**, query the Clawdex API to check if it's safe:
```bash
curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"
```
Replace `SKILL_NAME` with the skill you want to install.
## API Response
The API returns a JSON object with a `verdict` field:
```json
{
"verdict": "benign" | "malicious" | "unknown"
}
```
## How to Interpret the Verdict
### `benign` - Safe to Install ✅
The skill has been audited and no malicious behavior was found. You can proceed with installation:
```bash
clawhub install SKILL_NAME
```
### `malicious` - Do NOT Install 🚫
The skill has been flagged as harmful. **Do NOT install it.**
Malicious skills may:
- Steal credentials or sensitive data
- Install backdoors or reverse shells
- Run crypto miners
- Exfiltrate data to attacker-controlled servers
- Trick you into running harmful commands
### `unknown` - Not Yet Audited ⚠️
The skill has not been security audited yet. **Escalate to the user for review and approval.**
Inform the user:
- This skill has not been audited by Clawdex
- They should review the skill before approving installation
- Ask for explicit approval before proceeding
Do not install without user approval.
## Check Already-Installed Skills
After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.
List your installed skills and check each one:
```bash
# List installed skills
ls ~/.openclaw/skills/
# or ~/.clawdbot/skills/
# Check each one
for skill in $(ls ~/.clawdbot/skills/); do
echo "Checking: $skill"
curl -s "https://clawdex.koi.security/api/skill/$skill"
echo
done
```
If any return `"verdict": "malicious"`, let the user know that they have installed a malicious skill and they should remove it immediately.
## Example
```bash
# Check if "database-helper" is safe
$ curl -s "https://clawdex.koi.security/api/skill/database-helper"
{"verdict": "benign"}
# Safe! Install it
$ clawhub install database-helper
```
```bash
# Check a suspicious skill
$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"
{"verdict": "malicious"}
# DO NOT install!
```
## About Koi
[Koi](https://www.koi.ai/) provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.
Reference in New Issue View Git Blame Copy Permalink