clawdex-by-koi

Verified·Scanned 2/19/2026

Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.

from clawhub.ai·v1.0.0·2.8 KB·0 installs
Scanned from 1.0.2 at e110b1c · Transparency log ↗
$ vett add clawhub.ai/wearekoi/clawdex-by-koi

Clawdex

Security check for ClawHub skills, powered by Koi.

When to Use This Skill

Before installing ANY skill from ClawHub, query the Clawdex API to check if it's safe:

curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"

Replace SKILL_NAME with the skill you want to install.

API Response

The API returns a JSON object with a verdict field:

{
  "verdict": "benign" | "malicious" | "unknown"
}

How to Interpret the Verdict

benign - Safe to Install ✅

The skill has been audited and no malicious behavior was found. You can proceed with installation:

clawhub install SKILL_NAME

malicious - Do NOT Install 🚫

The skill has been flagged as harmful. Do NOT install it.

Malicious skills may:

  • Steal credentials or sensitive data
  • Install backdoors or reverse shells
  • Run crypto miners
  • Exfiltrate data to attacker-controlled servers
  • Trick you into running harmful commands

unknown - Not Yet Audited ⚠️

The skill has not been security audited yet. Escalate to the user for review and approval.

Inform the user:

  • This skill has not been audited by Clawdex
  • They should review the skill before approving installation
  • Ask for explicit approval before proceeding

Do not install without user approval.

Check Already-Installed Skills

After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.

List your installed skills and check each one:

# List installed skills
ls ~/.openclaw/skills/
# or ~/.clawdbot/skills/

# Check each one
for skill in $(ls ~/.clawdbot/skills/); do
  echo "Checking: $skill"
  curl -s "https://clawdex.koi.security/api/skill/$skill"
  echo
done

If any return "verdict": "malicious", let the user know that they have installed a malicious skill and they should remove it immediately.

Example

# Check if "database-helper" is safe
$ curl -s "https://clawdex.koi.security/api/skill/database-helper"
{"verdict": "benign"}

# Safe! Install it
$ clawhub install database-helper

# Check a suspicious skill
$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"
{"verdict": "malicious"}

# DO NOT install!

About Koi

Koi provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.