Safety Report

Clawdtm Advisor

Name: Clawdtm Advisor
Author: 0xmythril

@0xmythril

Search, evaluate security, and install OpenClaw skills. Helps your human find the right skills safely.

345Downloads

2Installs

0Stars

1Versions

Search & Retrieval2,116 Security & Compliance1,716 Legal & Compliance738

Security Analysis

medium confidence

Clean0.04 risk

The skill is internally consistent with its stated purpose (searching, evaluating, and fetching skills from a public advisor API); it is instruction-only and requests no credentials, but installers should still review fetched files before writing/executing them.

Feb 15, 20261 files1 concern

Purpose & Capabilityok

Name/description match the behavior in SKILL.md: it queries a public API to search and fetch skill files and returns installation instructions. It does not request unrelated credentials or binaries.

Instruction Scopenote

The instructions tell the agent to fetch skill files from clawdtm.com and write each returned file into ./skills/{slug}/. This is expected for an installer, but the SKILL.md does not require or document integrity checks, signature verification, or sandboxing of fetched files. It also suggests falling back to running an external tool ('clawhub install {slug}') if files are null, which implicitly assumes that tool exists and is trusted.

Install Mechanismok

No install spec or binaries are included; the skill is instruction-only and performs remote HTTP requests to a clearly stated API. This is the lowest-risk install mechanism in the platform model.

Credentialsok

The skill declares no required environment variables, primary credential, or config paths. SKILL.md also claims the advisor endpoints are public and need no auth; there is no evidence the skill asks for unrelated secrets.

Persistence & Privilegeok

always is false and the skill does not request persistent presence or elevated privileges. It does instruct writing files into the agent workspace for installs, which is expected for an installer.

Guidance

This advisor skill appears coherent and does what it says: it queries a public API and returns skill files to write into your workspace. Before installing any fetched skill, manually inspect the returned files (especially install/setup scripts), verify any integrity/signatures if available, and avoid automatically executing scripts. Prefer skills with good security scores and human reviews; do not enable high/critical-risk skills unless you explicitly understand and accept the risks. Be cautious about the fallback 'clawhub install' command — confirm that tool is present and trusted before invoking it.

Latest Release

v1.0.0

- Initial release of clawdtm-advisor 1.0.0 - Search for OpenClaw skills by keyword, category, or other filters with safety-focused defaults - View security scores, risk levels, and community ratings for each skill - Install skills with automated security checks and clear risk policies - Supports safe/unsafe skill filtering, detailed security flag explanations, and explicit install overrides - No authentication required; all API endpoints are public

More by @0xmythril

Review Skills on Clawdtm

2 stars

Clawdtm Review

0 stars

Linkedin Cli

0 stars

Tweet Cli

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Published by @0xmythril on ClawHub