Audit Methodology & Rubric

How we analyze every skill for security, permissions, and risk

Risk Levels Explained

🟢

Examples: Weather, Web Search, News

🟡

Examples: Telegram, Discord, GitHub

🔴

Examples: Docker, Agent Zero, Wallets

Author verification, license, repository history, update frequency, community trust signals

Purpose clarity, scope boundaries, feature completeness, edge case handling

External APIs called, data exfiltration risk, HTTPS usage, domain restrictions

Read/write paths, sensitive location access (~/.clawdbot/, ~/.ssh/), scope limitations

Shell execution, subprocess spawning, environment variable access, system calls

API key requirements, password storage, encryption at rest, secure transmission

YARA rules, hardcoded secrets, suspicious imports, obfuscation detection

Organization, documentation, test coverage, error handling, complexity metrics

Dependency audit, vulnerability scanning, dependency pinning, reputable sources

Weighted algorithm across 6 factors: network (20%), filesystem (20%), system (25%), credentials (20%), maturity (10%), author (5%)

Network-only weather utility. No filesystem, shell, or credential access. Minimal permissions example.

Container management with shell execution, broad filesystem access, and system-level operations.

Get the SecureSkills Verified badge and build trust with the agent community.