← Back to Skills Marketplace

TrustMyAgent

Name: TrustMyAgent
Author: anecdotes-yair

by Anecdotes-Yair · GitHub ↗ · v1.0.0

cross-platform ✓ Security Clean

327

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install trust-my-agent-ai

Description

🛡️ TrustMyAgent - Security posture monitoring for AI agents. Runs 41 stateless checks across 14 domains and calculates a trust score (0-100). Supports local...

Usage Guidance

This skill appears to be what it claims: a local, stateless posture scanner that reads a lot of host state and can optionally send an aggregated telemetry report. Before installing, consider: 1) Run the tool in --dry-run and --local-only modes first to inspect the JSON payload it would send; 2) Review which local files it reads (shell histories, ~/.ssh, ~/.netrc, OpenClaw config paths, session transcripts) and confirm you're comfortable with those reads; 3) If you enable telemetry, verify the Trust Center endpoint and ensure you accept sending derived indicators (not raw secrets) and an agent identifier derived from your hostname; 4) The Linux install entry in the manifest is unusual — prefer to manually ensure python3 is available rather than allowing any automatic install step you don't understand; 5) If you do schedule recurring runs, pick an interval you want (the default suggestion is every 15 minutes). If you want more assurance, inspect run.py and the checks JSON locally (they are bundled) or run in isolated environment/container first.

Capability Analysis

Type: OpenClaw Skill Name: trust-my-agent-ai Version: 1.0.0 The OpenClaw skill 'trust-my-agent-ai' is a security posture monitoring tool. Its code (`run.py`) and documentation (`SKILL.md`, `README.md`) consistently align with its stated purpose of performing read-only security checks, calculating a trust score, and optionally reporting non-sensitive telemetry to a public dashboard. The `SKILL.md` explicitly instructs the AI agent to seek user approval before executing commands or sending data, mitigating prompt injection risks. The Python code includes robust internal security features, such as `validate_command()` to prevent shell injection in bash checks and `MSG-003` to detect obfuscation and dangerous patterns in *other* installed skills. While `run.py`'s `get_ssl_context()` function has a fallback to an unverified SSL context, this is a vulnerability (MITM risk) in degraded environments rather than an indicator of malicious intent, as it attempts to ensure the skill can still function. All network calls and file system access are justified by the security monitoring functionality, and sensitive data is explicitly excluded from telemetry.

Capability Assessment

ℹ Purpose & Capability

The skill's name/description (security posture monitoring, 41 checks) aligns with the code and bundled checks which inspect system state (network, secrets, files, OpenClaw-specific configs) and optionally send aggregated telemetry. One minor inconsistency: the install spec uses two entries for providing python3 (a Homebrew entry for macOS and a 'node' kind labeled python3-apt for Linux) — the linux install kind is unusual but likely intended to mean 'use system package' rather than a NodeJS package.

ℹ Instruction Scope

SKILL.md instructs explicit dry-run, local-only, and consent-before-send flows and the code implements many read-only checks. The skill reads sensitive local artifacts (shell histories, ~/.ssh, ~/.netrc, checks for /proc and /var/run/kubernetes tokens, IDENTITY.md and OpenClaw config paths, session transcripts/MCP config if present) — this is expected for a posture scanner but is high-privilege read access. SKILL.md states no file contents are sent and only boolean or derived info is transmitted; the code appears to perform env and file scanning locally and only transmit aggregated fields (score, check ids, booleans, detection metadata) when telemetry is enabled.

✓ Install Mechanism

No remote downloads or package installs beyond standard system Python are required. run.py uses only stdlib and the checks are bundled. The Homebrew formula for python3 on macOS is reasonable; the Linux path is declared oddly but appears to rely on system python3 (no third-party pip/npm installs). No extract-from-URL or arbitrary binaries are fetched.

ℹ Credentials

The skill requires the 'openssl' binary for TLS checks (reasonable). It requests no credentials or env vars to be provided, but the runtime reads environment variables and many local files (histories, SSH files, ~/.openclaw, IDENTITY.md, /proc, possible MCP/session transcripts) to detect issues. That read access is proportionate to a posture scanner but you should expect it to see many sensitive items locally; the project claims it will not transmit raw secrets, only indicators and aggregated results.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated platform privileges. SKILL.md suggests optionally scheduling recurring runs (cron) if the user consents; the skill itself does not set always:true nor automatically persist credentials or force persistent presence. It also documents local-only/dry-run modes and requests explicit consent before sending telemetry.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install trust-my-agent-ai
After installation, invoke the skill by name or use /trust-my-agent-ai
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of TrustMyAgent – security posture monitoring for AI agents. - Runs 41 stateless, read-only security checks across 14 domains. - Calculates and displays a trust score (0–100) and detailed pass/fail status for each check. - Supports dry-run mode for previewing results before sending, and local-only mode for full privacy (no network calls). - Guides users interactively through setup, running assessments, telemetry options, and optional scheduled scans. - All check logic and telemetry data formats are fully open source and transparent.

Metadata

Slug trust-my-agent-ai

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is TrustMyAgent?

🛡️ TrustMyAgent - Security posture monitoring for AI agents. Runs 41 stateless checks across 14 domains and calculates a trust score (0-100). Supports local... It is an AI Agent Skill for Claude Code / OpenClaw, with 327 downloads so far.

How do I install TrustMyAgent?

Run "/install trust-my-agent-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is TrustMyAgent free?

Yes, TrustMyAgent is completely free (open-source). You can download, install and use it at no cost.

Which platforms does TrustMyAgent support?

TrustMyAgent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created TrustMyAgent?

It is built and maintained by Anecdotes-Yair (@anecdotes-yair); the current version is v1.0.0.

More Skills