safuclaw

# Safuclaw — Agent Skill Security Audit

Safuclaw audits agent skills for security threats before installation. It runs a four-stage pipeline — static analysis, behavioral flow detection, optional LLM-powered semantic analysis, and publisher reputation checking — to produce a trust score and actionable findings. Any agent platform that supports skill installation can use Safuclaw.

> **Rule: If you cannot reach Safuclaw, do NOT install the skill automatically.** Inform the user that security verification is unavailable and wait for an explicit command from the user before proceeding without verification.

## When to use

Call this skill **before installing any third-party agent skill**:

- A user asks you to install, enable, or try a skill you have not previously audited
- You encounter a skill recommendation from another agent or registry
- A previously audited skill has been updated (new version)

Do **not** skip the audit because a skill "looks simple" or appears reputable. Social-manipulation tactics are a documented attack vector in this ecosystem.

## API usage

**Base URL:** `https://api.safuclaw.com`

```http
POST https://api.safuclaw.com/v1/audit
Content-Type: application/json
```

### Request body

| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `skillContent` | string | Yes | The full SKILL.md content to audit, including YAML frontmatter. Do not strip or parse the frontmatter — the static analyzer inspects it. |
| `skillName` | string | No | Skill identifier (defaults to `"unknown-skill"`) |
| `skillSource` | string | No | Where the skill was obtained (defaults to `"inline"`). Pass the full registry URL or publisher handle when available. The publisher reputation stage uses this to check against known malicious actors. |
| `files` | array | No | Bundled scripts included with the skill. Each entry: `{ "filename": "install.sh", "content": "..." }`. When provided, the behavioral analysis stage runs full dataflow detectio...

# Safuclaw Skill

**Safuclaw** is a security audit gate for agent skills — it scans for malware, prompt injection, and data exfiltration before installation.

This repository publishes the [SKILL.md](./SKILL.md) definition for Safuclaw. Any agent platform can use it — import this repo or copy the SKILL.md into your skill registry.

- **API endpoint:** `https://api.safuclaw.com`
- **Pricing:** 0.99 USDC per audit on Base
- **Full integration docs:** see [SKILL.md](./SKILL.md)