Trust Verifier

Trust, but verify. Assess the trustworthiness of a ClawHub skill by analyzing its publisher, history, dependencies, and consistency.

Why This Exists

Security scanning catches known malicious patterns. But what about skills that are technically clean but published by unknown authors, have inconsistent version histories, or depend on untrusted packages? Trust Verifier fills the gap between "no vulnerabilities detected" and "safe to install."

Commands

Assess trust for a skill directory

python3 {baseDir}/scripts/trust_verifier.py assess --path ~/.openclaw/skills/some-skill/

Generate a trust attestation

python3 {baseDir}/scripts/trust_verifier.py attest --path ~/.openclaw/skills/some-skill/ --output trust.json

Verify an existing attestation

python3 {baseDir}/scripts/trust_verifier.py verify --attestation trust.json --path ~/.openclaw/skills/some-skill/

Check dependency trust chain

python3 {baseDir}/scripts/trust_verifier.py deps --path ~/.openclaw/skills/some-skill/

Trust Signals

• Publisher reputation: Known vs unknown publisher, account age, skill count
• Version consistency: Do updates match expected patterns? Sudden permission changes?
• Content integrity: SHA-256 hashes of all files, reproducible builds
• Dependency chain: Are dependencies from trusted sources?
• Community signals: Moltbook mentions, upvotes, known endorsements

Trust Levels

• VERIFIED — Meets all trust criteria, attestation valid
• TRUSTED — Most signals positive, minor gaps
• UNKNOWN — Insufficient data to assess trust
• SUSPICIOUS — One or more trust signals failed
• UNTRUSTED — Multiple trust failures, do not install