name	clawdex by Koi
description	Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
version	1.0.0
author	Koi Security
authorUrl	https://www.koi.ai/
homepage	https://www.koi.ai/
license	MIT
metadata	{"openclaw":{"emoji":"🛡️","category":"security"}}
tags	["security","clawhub","malware-detection"]

Clawdex

Security check for ClawHub skills, powered by Koi.

When to Use This Skill

Before installing ANY skill from ClawHub, query the Clawdex API to check if it's safe:

curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"

Replace SKILL_NAME with the skill you want to install.

API Response

The API returns a JSON object with a verdict field:

{
  "verdict": "benign" | "malicious" | "unknown"
}

How to Interpret the Verdict

`benign` - Safe to Install ✅

The skill has been audited and no malicious behavior was found. You can proceed with installation:

clawhub install SKILL_NAME

`malicious` - Do NOT Install 🚫

The skill has been flagged as harmful. Do NOT install it.

Malicious skills may:

Steal credentials or sensitive data
Install backdoors or reverse shells
Run crypto miners
Exfiltrate data to attacker-controlled servers
Trick you into running harmful commands

`unknown` - Not Yet Audited ⚠️

The skill has not been security audited yet. Escalate to the user for review and approval.

Inform the user:

This skill has not been audited by Clawdex
They should review the skill before approving installation
Ask for explicit approval before proceeding

Do not install without user approval.

Check Already-Installed Skills

After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.

List your installed skills and check each one:

# List installed skills
ls ~/.openclaw/skills/
# or ~/.clawdbot/skills/

# Check each one
for skill in $(ls ~/.clawdbot/skills/); do
  echo "Checking: $skill"
  curl -s "https://clawdex.koi.security/api/skill/$skill"
  echo
done

If any return "verdict": "malicious", let the user know that they have installed a malicious skill and they should remove it immediately.

Example

# Check if "database-helper" is safe
$ curl -s "https://clawdex.koi.security/api/skill/database-helper"
{"verdict": "benign"}

# Safe! Install it
$ clawhub install database-helper

# Check a suspicious skill
$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"
{"verdict": "malicious"}

# DO NOT install!

About Koi

Koi provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.

name	clawdex by Koi
description	Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
version	1.0.0
author	Koi Security
authorUrl	https://www.koi.ai/
homepage	https://www.koi.ai/
license	MIT
metadata	{"openclaw":{"emoji":"🛡️","category":"security"}}
tags	["security","clawhub","malware-detection"]

Clawdex

Security check for ClawHub skills, powered by Koi.

When to Use This Skill

Before installing ANY skill from ClawHub, query the Clawdex API to check if it's safe:

curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"

Replace SKILL_NAME with the skill you want to install.

API Response

The API returns a JSON object with a verdict field:

{
  "verdict": "benign" | "malicious" | "unknown"
}

How to Interpret the Verdict

`benign` - Safe to Install ✅

The skill has been audited and no malicious behavior was found. You can proceed with installation:

clawhub install SKILL_NAME

`malicious` - Do NOT Install 🚫

The skill has been flagged as harmful. Do NOT install it.

Malicious skills may:

Steal credentials or sensitive data
Install backdoors or reverse shells
Run crypto miners
Exfiltrate data to attacker-controlled servers
Trick you into running harmful commands

`unknown` - Not Yet Audited ⚠️

The skill has not been security audited yet. Escalate to the user for review and approval.

Inform the user:

This skill has not been audited by Clawdex
They should review the skill before approving installation
Ask for explicit approval before proceeding

Do not install without user approval.

Check Already-Installed Skills

After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.

List your installed skills and check each one:

# List installed skills
ls ~/.openclaw/skills/
# or ~/.clawdbot/skills/

# Check each one
for skill in $(ls ~/.clawdbot/skills/); do
  echo "Checking: $skill"
  curl -s "https://clawdex.koi.security/api/skill/$skill"
  echo
done

If any return "verdict": "malicious", let the user know that they have installed a malicious skill and they should remove it immediately.

Example

# Check if "database-helper" is safe
$ curl -s "https://clawdex.koi.security/api/skill/database-helper"
{"verdict": "benign"}

# Safe! Install it
$ clawhub install database-helper

# Check a suspicious skill
$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"
{"verdict": "malicious"}

# DO NOT install!

About Koi

Koi provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.

clawdex-by-koi

Clawdex

When to Use This Skill

API Response

How to Interpret the Verdict

benign - Safe to Install ✅

malicious - Do NOT Install 🚫

unknown - Not Yet Audited ⚠️

Check Already-Installed Skills

Example

About Koi

Clawdex

When to Use This Skill

API Response

How to Interpret the Verdict

benign - Safe to Install ✅

malicious - Do NOT Install 🚫

unknown - Not Yet Audited ⚠️

Check Already-Installed Skills

Example

About Koi

`benign` - Safe to Install ✅

`malicious` - Do NOT Install 🚫

`unknown` - Not Yet Audited ⚠️

`benign` - Safe to Install ✅

`malicious` - Do NOT Install 🚫

`unknown` - Not Yet Audited ⚠️