Is your ClawHub skill safe? — OpenClaw skill security check

In February 2026, the ClawHavoc supply-chain attack put a large number of malware-laden skills (an AMOS infostealer payload) into ClawHub, the OpenClaw skill marketplace. Before an agent installs or invokes a third-party skill, it should be checked.

Dominion gives any ClawHub skill a single PASS / UNCERTAIN / FAIL verdict, aggregating the registry's own published security scan (VirusTotal + model), moderation verdict, and provenance.

Check a skill:

API: GET /v1/trust?registry=clawhub&skill={slug} → JSON

How the verdict works

FAIL — the skill's security scan is malicious/suspicious, or ClawHub moderation/verify blocked it. A hard fail regardless of popularity.
UNCERTAIN — no security scan on record yet (unverified). Never silently treated as safe.
PASS — security scan clean (VirusTotal/model benign) and provenance resolved.

Embed a safety badge

Skill authors and list maintainers can show a live safety badge. Markdown:

![ClawHub Safety](https://dominion-observatory.sgdata.workers.dev/badge/clawhub/calendar)

Disclaimer

This is a supply-chain trust score derived from ClawHub's own published scan/moderation data (skills are packages, not live endpoints we probe). Source signals can change — re-check before relying on a result. Independent score by Dominion Observatory; not affiliated with or endorsed by OpenClaw / ClawHub.

Check a ClawHub (OpenClaw) skill before you install it

How the verdict works

Embed a safety badge

Disclaimer