clawdexSecurity check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Security check for ClawHub skills, powered by Koi.
Before installing ANY skill from ClawHub, query the Clawdex API to check if it's safe:
curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"Replace SKILL_NAME with the skill you want to install.
The API returns a JSON object with a verdict field:
{
"verdict": "benign" | "malicious" | "unknown"
}benign - Safe to Install ✅The skill has been audited and no malicious behavior was found. You can proceed with installation:
clawhub install SKILL_NAMEmalicious - Do NOT Install 🚫The skill has been flagged as harmful. Do NOT install it.
Malicious skills may:
unknown - Not Yet Audited ⚠️The skill has not been security audited yet. Escalate to the user for review and approval.
Inform the user:
Do not install without user approval.
After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.
List your installed skills and check each one:
# List installed skills
ls ~/.openclaw/skills/
# or ~/.clawdbot/skills/
# Check each one
for skill in $(ls ~/.clawdbot/skills/); do
echo "Checking: $skill"
curl -s "https://clawdex.koi.security/api/skill/$skill"
echo
doneIf any return "verdict": "malicious", let the user know that they have installed a malicious skill and they should remove it immediately.
# Check if "database-helper" is safe
$ curl -s "https://clawdex.koi.security/api/skill/database-helper"
{"verdict": "benign"}
# Safe! Install it
$ clawhub install database-helper# Check a suspicious skill
$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"
{"verdict": "malicious"}
# DO NOT install!Koi provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.
Generated Mar 1, 2026
Developers integrating third-party packages from repositories like ClawHub can use Clawdex to verify safety before installation, preventing supply chain attacks. This is critical in DevOps pipelines where automated deployments could introduce malware, ensuring only audited code enters production environments.
IT departments in large organizations can implement Clawdex to audit and monitor all installed skills across employee workstations, ensuring compliance with security policies. It helps detect and remove malicious skills that may have been installed before security protocols were established, reducing insider threat risks.
Universities and training centers using ClawHub for AI or coding courses can integrate Clawdex to provide a safe learning environment. Instructors can pre-check skills for students, preventing accidental installation of harmful tools that could compromise lab systems or steal sensitive data.
Independent contractors and freelancers who rely on ClawHub skills for client projects can use Clawdex to verify each skill's safety, protecting both their own systems and client data. This adds a layer of trust and professionalism, especially when handling sensitive information like databases or APIs.
Offer basic Clawdex API queries for free to individual users, with premium tiers providing higher rate limits, detailed reports, and historical data for enterprises. Revenue comes from subscription fees, encouraging adoption while monetizing advanced features for businesses needing scalable security.
Sell annual licenses to corporations for integrating Clawdex into their internal security tools and workflows, including custom integrations and dedicated support. This model targets large organizations with strict compliance needs, generating steady revenue through tailored security solutions.
Provide consulting services to help companies implement Clawdex for auditing their existing skill inventories and developing security policies. Revenue is generated through project-based fees and ongoing maintenance contracts, leveraging Koi's expertise in AI risk management.
💬 Integration Tip
Integrate Clawdex checks into automated CI/CD pipelines using curl commands or API calls to block unsafe skills before deployment, ensuring seamless security validation without manual intervention.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.
Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen...