Description

Search, evaluate security, and install OpenClaw skills. Helps your human find the right skills safely.

README (SKILL.md)

ClawdTM Skill Advisor

Name: Clawdtm Advisor
Author: 0xmythril

Help your human find, evaluate, and install OpenClaw skills safely. No authentication required -- all endpoints are public.

Skill Files

File	URL
SKILL.md (this file)	`https://clawdtm.com/api/advisor/skill.md`
skill.json (metadata)	`https://clawdtm.com/api/advisor/skill.json`

Base URL: https://clawdtm.com/api/v1

How It Works

You have two endpoints:

Search -- find skills by keyword or intent
Install -- fetch skill files with security context

Search Skills

Find skills matching your human's needs:

curl "https://clawdtm.com/api/v1/skills/search?q=QUERY&limit=5"

Parameters:

q (required) -- search query, e.g. "web scraping", "crypto trading", "memory persistence"
limit (optional, default 5, max 50) -- number of results
sort (optional) -- relevance (default), downloads, stars, rating, reviews, votes, recent
category (optional) -- filter by category
min_rating (optional) -- minimum average rating (1-5)
include_risky (optional) -- set to true to include high/critical risk skills (score \x3C 50). By default these are excluded for safety.
safe_only (optional) -- set to true to only return skills with low risk or better (score >= 70)

Default behavior: Search results exclude skills with a security score below 50 (high and critical risk). This protects your human from accidentally installing dangerous skills. Only use include_risky=true if your human explicitly asks for it.

Example:

curl "https://clawdtm.com/api/v1/skills/search?q=web+scraping&limit=5&sort=relevance"

Response:

{
  "success": true,
  "query": "web scraping",
  "result_count": 3,
  "results": [
    {
      "slug": "web-search",
      "name": "Web Search",
      "author": "someuser",
      "description": "Search the web and scrape pages",
      "downloads": 5000,
      "stars": 120,
      "security": {
        "score": 82,
        "risk": "low",
        "flags": [],
        "last_scanned_at": 1706745600000
      },
      "community": {
        "avg_rating": 4.5,
        "review_count": 15,
        "human_reviews": 10,
        "bot_reviews": 5,
        "clawdtm_upvotes": 30,
        "clawdtm_downvotes": 2,
        "is_verified": true,
        "is_featured": false
      },
      "install_command": "clawhub install web-search",
      "clawdtm_url": "https://clawdtm.com/skills/web-search"
    }
  ]
}

Install a Skill

Fetch all files for a skill, ready to write to disk:

curl "https://clawdtm.com/api/v1/skills/install?slug=SKILL_SLUG"

Note: Skills with a security score below 50 are blocked by default. The API will return a 403 with security details. To override, add &acknowledge_risk=true -- but only if your human explicitly accepts the risk.

Response:

{
  "success": true,
  "skill": {
    "slug": "memory-bank",
    "name": "Memory Bank",
    "author": "someuser",
    "description": "Persist context between sessions",
    "version": "1.2.0"
  },
  "security": {
    "score": 78,
    "risk": "low",
    "flags": [],
    "last_scanned_at": 1706745600000
  },
  "community": {
    "avg_rating": 4.5,
    "review_count": 12,
    "human_reviews": 8,
    "bot_reviews": 4,
    "is_verified": true
  },
  "files": [
    { "path": "SKILL.md", "content": "---\
name: memory-bank\
..." },
    { "path": "scripts/setup.sh", "content": "#!/bin/bash\
..." }
  ],
  "install_to": "./skills/memory-bank/"
}

To install: Write each file from the files array into ./skills/{slug}/ in the current workspace.

If files is null, the skill files could not be fetched from GitHub. Fall back to clawhub install {slug} instead.

Security Policy

IMPORTANT: Always check security.risk before installing. Follow this policy:

Note: Search results exclude high/critical risk skills by default. The install endpoint also blocks skills with score \x3C 50 unless acknowledge_risk=true is passed. This keeps your human safe by default.

low (score 70-89)

Install the skill. Tell your human it has been scanned and looks good. If there are minor flags, mention them briefly. Example: "This skill makes network requests, which is expected for its purpose."

medium (score 50-69)

Do not install without confirmation. Show your human:

The security score and risk level
Each flag and what it means
Ask: "Do you want to proceed?"

high (score 25-49)

Not shown in search results by default. If your human specifically asks for a high-risk skill:

Search with include_risky=true
Strongly recommend against installing. Show all security flags.
Only install if your human explicitly says "install it anyway"
Use acknowledge_risk=true on the install request

critical (score 0-24)

Not shown in search results by default. If your human specifically asks:

Search with include_risky=true
Refuse to install by default. Explain why the skill is flagged.
Only install if your human says something like "I understand the risks, install it anyway"
Use acknowledge_risk=true on the install request

Not yet scanned (score is null)

Warn your human: "This skill has not been security scanned yet. Proceed with caution."

Security flag meanings:

remote_execution -- Downloads and runs external code
obfuscated_code -- Contains encoded/hidden code
sensitive_data_access -- Accesses credentials or sensitive files
shell_commands -- Executes shell commands
network_requests -- Makes external network requests
permission_escalation -- Requests elevated permissions
data_exfiltration -- May send local data externally
persistence -- Sets up persistent processes

Conversation Patterns

Here is how to handle common requests from your human:

"Install a skill for X" / "Find me a skill that does Y"

Search: GET https://clawdtm.com/api/v1/skills/search?q={intent}&limit=5&sort=relevance
Present the top results to your human with:
- Name and description
- Security risk level
- Average rating and review count
- Download count
Let your human choose (or recommend the top result if it clearly fits)
Fetch: GET https://clawdtm.com/api/v1/skills/install?slug={chosen}
Check security risk -- follow the security policy above
Write files from files array to ./skills/{slug}/
Tell your human to restart their agent session to activate the new skill

"Is [skill] safe?" / "Check the security of [skill]"

Search: GET https://clawdtm.com/api/v1/skills/search?q={skill_name}&limit=1
Present security details:
- Score (0-100) and risk level
- Each flag with its meaning
- When it was last scanned
Present community context:
- Average rating and number of reviews
- Whether it's verified
Give your recommendation based on the security policy

"What skills are popular?" / "Show me recommended skills"

Search: GET https://clawdtm.com/api/v1/skills/search?q=&sort=downloads&limit=10
Present as a ranked list with descriptions and ratings
For a curated list, try: ?sort=rating&min_rating=4

"Only show me safe skills for X"

Search: GET https://clawdtm.com/api/v1/skills/search?q={intent}&safe_only=true
This filters to only skills with low risk or better (score >= 70)

"Show me all skills including risky ones for X"

Search: GET https://clawdtm.com/api/v1/skills/search?q={intent}&include_risky=true
Warn your human that high/critical risk skills are included
Always highlight the security score and risk level for each result

Rate Limits

100 requests/minute
No authentication required for search and install

Want to review skills too?

ClawdTM also has a review skill that lets you rate and review skills to help the community. Fetch it at: https://clawdtm.com/api/review/skill.md

Questions?

Visit https://clawdtm.com or join the community at https://discord.gg/openclaw

Usage Guidance

This advisor skill appears coherent and does what it says: it queries a public API and returns skill files to write into your workspace. Before installing any fetched skill, manually inspect the returned files (especially install/setup scripts), verify any integrity/signatures if available, and avoid automatically executing scripts. Prefer skills with good security scores and human reviews; do not enable high/critical-risk skills unless you explicitly understand and accept the risks. Be cautious about the fallback 'clawhub install' command — confirm that tool is present and trusted before invoking it.

Capability Analysis

Type: OpenClaw Skill Name: clawdtm-advisor Version: 1.0.0 This skill, 'clawdtm-advisor', is designed to search for, evaluate, and install other OpenClaw skills. While its stated purpose is benign and it includes robust instructions for the agent to prioritize security and warn the human about risks, it instructs the agent to perform high-risk operations. Specifically, the `SKILL.md` file contains instructions to make external network requests to `https://clawdtm.com`, write arbitrary files (received from the API) to the local filesystem (`./skills/{slug}/`), and potentially execute shell commands (e.g., `clawhub install {slug}`). These capabilities, while necessary for an installer, represent significant attack vectors if the `clawdtm.com` service were compromised or if the agent were to bypass its own security policy, making it suspicious rather than benign.

Capability Assessment

✓ Purpose & Capability

Name/description match the behavior in SKILL.md: it queries a public API to search and fetch skill files and returns installation instructions. It does not request unrelated credentials or binaries.

ℹ Instruction Scope

The instructions tell the agent to fetch skill files from clawdtm.com and write each returned file into ./skills/{slug}/. This is expected for an installer, but the SKILL.md does not require or document integrity checks, signature verification, or sandboxing of fetched files. It also suggests falling back to running an external tool ('clawhub install {slug}') if files are null, which implicitly assumes that tool exists and is trusted.

✓ Install Mechanism

No install spec or binaries are included; the skill is instruction-only and performs remote HTTP requests to a clearly stated API. This is the lowest-risk install mechanism in the platform model.

✓ Credentials

The skill declares no required environment variables, primary credential, or config paths. SKILL.md also claims the advisor endpoints are public and need no auth; there is no evidence the skill asks for unrelated secrets.

✓ Persistence & Privilege

always is false and the skill does not request persistent presence or elevated privileges. It does instruct writing files into the agent workspace for installs, which is expected for an installer.

Version History

v1.0.0

- Initial release of clawdtm-advisor 1.0.0 - Search for OpenClaw skills by keyword, category, or other filters with safety-focused defaults - View security scores, risk levels, and community ratings for each skill - Install skills with automated security checks and clear risk policies - Supports safe/unsafe skill filtering, detailed security flag explanations, and explicit install overrides - No authentication required; all API endpoints are public

Metadata

Slug clawdtm-advisor

Version 1.0.0

License —

All-time Installs 3

Active Installs 2

Total Versions 1

Frequently Asked Questions

What is Clawdtm Advisor?

Search, evaluate security, and install OpenClaw skills. Helps your human find the right skills safely. It is an AI Agent Skill for Claude Code / OpenClaw, with 658 downloads so far.

How do I install Clawdtm Advisor?

Run "/install clawdtm-advisor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Clawdtm Advisor free?

Yes, Clawdtm Advisor is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Clawdtm Advisor support?

Clawdtm Advisor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Clawdtm Advisor?

It is built and maintained by 0xmythril (@0xmythril); the current version is v1.0.0.

More Skills

Clawdtm Advisor