ClawSkills logoClawSkills

Clawdex by Koi

Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.

Visit Website

Introduction

# Clawdex

Security check for ClawHub skills, powered by [Koi](https://www.koi.ai/).

## When to Use This Skill

**Before installing ANY skill from ClawHub**, query the Clawdex API to check if it's safe:

```bash curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME" ```

Replace `SKILL_NAME` with the skill you want to install.

## API Response

The API returns a JSON object with a `verdict` field:

```json { "verdict": "benign" | "malicious" | "unknown" } ```

## How to Interpret the Verdict

### `benign` - Safe to Install ✅

The skill has been audited and no malicious behavior was found. You can proceed with installation:

```bash clawhub install SKILL_NAME ```

### `malicious` - Do NOT Install 🚫

The skill has been flagged as harmful. **Do NOT install it.**

Malicious skills may:

- Steal credentials or sensitive data - Install backdoors or reverse shells - Run crypto miners - Exfiltrate data to attacker-controlled servers - Trick you into running harmful commands

### `unknown` - Not Yet Audited ⚠️

The skill has not been security audited yet. **Escalate to the user for review and approval.**

Inform the user:

- This skill has not been audited by Clawdex - They should review the skill before approving installation - Ask for explicit approval before proceeding

Do not install without user approval.

## Check Already-Installed Skills

After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.

List your installed skills and check each one:

```bash # List installed skills ls ~/.openclaw/skills/ # or ~/.clawdbot/skills/

# Check each one for skill in $(ls ~/.clawdbot/skills/); do echo "Checking: $skill" curl -s "https://clawdex.koi.security/api/skill/$skill" echo done ```

If any return `"verdict": "malicious"`, let the user know that they have installed a malicious skill and they should remove it immediately.

## Example

```bash # Check if "database-helper" is safe $ curl -s "https://clawdex.koi.security/api/skill/database-helper" {"verdict": "benign"}

# Safe! Install it $ clawhub install database-helper ```

```bash # Check a suspicious skill $ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot" {"verdict": "malicious"}

# DO NOT install! ```

## About Koi

[Koi](https://www.koi.ai/) provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.

Back

More Products

Obsidian

Security & Passwords

Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli.

10.8K

Mcporter

Security & Passwords

Use the mcporter CLI to list, configure, auth, and call MCP servers/tools directly (HTTP or stdio), including ad-hoc servers, config edits, and CLI/type generat

9.7K

YouTube

Security & Passwords

YouTube Data API integration with managed OAuth. Search videos, manage playlists, access channel data, and interact with comments. Use this skill when users wan

8.5K