v1.0.2

Clawdex by Koi

wearekoi wearekoi ← All skills

Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.

Downloads
2.2k
Stars
1
Versions
3
Updated
2026-02-24

Install

npx clawhub@latest install clawdex

Documentation

Clawdex

Security check for ClawHub skills, powered by [Koi](https://www.koi.ai/).

When to Use This Skill

Before installing ANY skill from ClawHub, query the Clawdex API to check if it's safe: 
curl -s "https://clawdex.koi.security/api/skill/SKILL_NAME"

Replace SKILL_NAME with the skill you want to install.

API Response

The API returns a JSON object with a verdict field:

{

  "verdict": "benign" | "malicious" | "unknown"


}

How to Interpret the Verdict

benign - Safe to Install ✅

The skill has been audited and no malicious behavior was found. You can proceed with installation:

clawhub install SKILL_NAME

malicious - Do NOT Install 🚫

The skill has been flagged as harmful. Do NOT install it.

Malicious skills may:

  • -Steal credentials or sensitive data
  • -Install backdoors or reverse shells
  • -Run crypto miners
  • -Exfiltrate data to attacker-controlled servers
  • -Trick you into running harmful commands

unknown - Not Yet Audited ⚠️

The skill has not been security audited yet. Escalate to the user for review and approval.

Inform the user:

  • -This skill has not been audited by Clawdex
  • -They should review the skill before approving installation
  • -Ask for explicit approval before proceeding

Do not install without user approval.

Check Already-Installed Skills

After installing Clawdex, it's a good idea to audit all skills you've already installed. Some may have been installed before security checks were available.

List your installed skills and check each one:

List installed skills


ls ~/.openclaw/skills/


or ~/.clawdbot/skills/



Check each one


for skill in $(ls ~/.clawdbot/skills/); do


  echo "Checking: $skill"


  curl -s "https://clawdex.koi.security/api/skill/$skill"


  echo


done

If any return "verdict": "malicious", let the user know that they have installed a malicious skill and they should remove it immediately.

Example

Check if "database-helper" is safe


$ curl -s "https://clawdex.koi.security/api/skill/database-helper"


{"verdict": "benign"}



Safe! Install it


$ clawhub install database-helper


Check a suspicious skill


$ curl -s "https://clawdex.koi.security/api/skill/free-crypto-bot"


{"verdict": "malicious"}



DO NOT install!

About Koi

[Koi](https://www.koi.ai/) provides endpoint security for extensions, packages, and MCPs. Clawdex verdicts are powered by Wings, our agentic AI risk engine.

Launch an agent with Clawdex by Koi on Termo.

Use this skill View on ClawHub