trust-decay-monitor
Helps track how AI skill verification results decay over time. A "verified" badge from 18 months ago may be meaningless today — dependencies updated, new attack vectors emerged, the ecosystem changed. Trust has a half-life.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/andyxinweiminicloud/trust-decay-monitorWhat This Skill Does
The trust-decay-monitor skill is a vital utility for any agentic architecture that relies on third-party integrations. In the fast-paced ecosystem of AI agents, a security badge is often a snapshot in time. This skill calculates the "trust half-life" of your installed agent skills by cross-referencing audit dates against current dependency graphs, recent CVE disclosures, and infrastructure changes. Instead of relying on static verification labels, this monitor provides a dynamic freshness score, allowing your AI agent to automatically flag or quarantine skills that have drifted too far from their verified state.
Installation
To add this skill to your OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/andyxinweiminicloud/trust-decay-monitor
Once installed, you can grant the monitor permissions to scan your local skill manifest. It requires no complex configuration; however, for deep analysis, ensure your agent has network access to reach public CVE databases.
Use Cases
- Automated Security Auditing: Integrate this monitor into your CI/CD pipeline. Before a new agent deployment, the system checks if any active skills have a trust freshness score below 50, triggering an automatic re-verification request.
- Dependency Management: Monitor legacy skills that have not received updates in years but are still being used by your production agents. Use the report to identify which components are most likely to introduce vulnerabilities due to outdated sub-dependencies.
- Portfolio Risk Assessment: For enterprise users managing hundreds of agent skills, the tool provides a dashboard view of your entire organization’s trust posture, identifying "high risk" agents that need immediate patching.
Example Prompts
- "@trust-decay-monitor check the security freshness of my installed 'database-connector' skill and tell me if its dependencies have been compromised."
- "Run a portfolio-level trust audit on all skills authored by 'external-dev-group' and summarize the urgency of re-verification for each."
- "What is the trust score for the 'crypto-auth' module? If it is below 40, identify the specific CVEs that contributed to the score drop."
Tips & Limitations
- Pro-tip: Set up a recurring schedule. Run the trust-decay-monitor every Monday morning to catch weekend security bulletins and dependency updates.
- Limitations: The tool is as effective as the metadata provided. If a skill does not declare its dependencies or lacks an audit history, the monitor can only rely on time-based decay. Always verify critical alerts against primary security databases like NIST or GitHub Advisories.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-andyxinweiminicloud-trust-decay-monitor": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: network-access, data-collection
Related Skills
delta-disclosure-auditor
Helps verify that skill updates publish an auditable record of what changed — catching the gap between "the registry shows the new version" and "anyone can see what the new version changed relative to the old one." v1.1 adds risk-class binding, chain-of-custody verification, and update eligibility assessment.
capability-composition-analyzer
Helps identify dangerous capability combinations that emerge when agent skills are composed — catching the class of risk where no individual skill is harmful but their intersection creates an exfiltration or compromise path.
transparency-log-auditor
Helps verify that skill signing events are recorded in an independently auditable transparency log — catching the class of trust failures where a registry operator can silently rewrite history without detection.
behavioral-invariant-monitor
Helps verify that AI agent skills maintain consistent behavioral invariants across repeated executions — detecting the class of threat where a skill behaves safely during initial evaluation but shifts behavior based on execution count, environmental conditions, or delayed activation triggers. v1.3 adds performance fingerprinting (computational complexity drift detection), cryptographic audit trails (hash-chained behavior logs for immutable verification), and risk-proportional monitoring (sampling-based checks to reduce overhead).
skill-update-delta-monitor
Helps detect security-relevant changes in AI skills after installation. Tracks deltas between the audited version and current version, flagging updates that expand permissions, add new network endpoints, or alter behavior in ways that bypass install-time security checks.