In February 2026, the ClawHavoc supply-chain attack put a large number of malware-laden skills (an AMOS infostealer payload) into ClawHub, the OpenClaw skill marketplace. Before an agent installs or invokes a third-party skill, it should be checked.
Dominion gives any ClawHub skill a single PASS / UNCERTAIN / FAIL verdict, aggregating the registry's own published security scan (VirusTotal + model), moderation verdict, and provenance.
Check a skill:
API: GET /v1/trust?registry=clawhub&skill={slug} → JSON
Skill authors and list maintainers can show a live safety badge. Markdown:

This is a supply-chain trust score derived from ClawHub's own published scan/moderation data (skills are packages, not live endpoints we probe). Source signals can change — re-check before relying on a result. Independent score by Dominion Observatory; not affiliated with or endorsed by OpenClaw / ClawHub.