Why SkillSafe
Most registries scan once, label, and forget. SkillSafe uses dual-side verification — the publisher's scan and the consumer's scan must match, byte-for-byte, before install.
TL;DR
A label on a registry page tells you what the registry thinks of the skill. It doesn't tell you whether the skill that landed on your machine is the skill the registry scanned. SkillSafe closes that gap with cryptographic tree hashes that the CLI re-verifies at install time.
How we compare
| Capability | SkillSafe | ClawHub | Nothing |
|---|---|---|---|
| Static security scan on publish | ✓ | ~ after upload | — |
| AI-assisted review (LLM reads the skill) | ✓ | — | — |
| Cryptographic tree hash pinned per version | ✓ | — | — |
| Dual-side verification at install time | ✓ | — | — |
| Detects rug-pull (version mutated post-publish) | ✓ | — | — |
| Bill of materials (capability inventory) | ✓ | — | — |
| MCP tool-description scanning | ✓ | — | — |
| Save-first model (private by default) | ✓ | ~ public by default | local only |
| Revocable, expiring share links (Dropbox-style) | ✓ | — | — |
| Install-time re-verification via CLI | ✓ | — | — |
| Works across Claude Code, Cursor, Windsurf, Codex, … | ✓ | ~ OpenClaw-first | — |
| Blast-radius of a compromised registry | Contained Consumer re-scans; mismatch fails the install | Unbounded Tampered artifacts install silently | N/A No central registry |
The difference that actually matters
Scan-and-label registries
A server somewhere scans the skill, assigns a verdict, and displays a badge on the listing page. When a consumer downloads it, nothing checks that the bytes on their disk match the bytes the server scanned. The badge is a claim about the registry's state at scan time — not a guarantee about what you installed.
The failure mode: registry compromise, MITM, cache poisoning, or a tampered CDN silently delivers a different artifact than the one the badge was issued for.
SkillSafe's dual-side verification
When the publisher saves a version, SkillSafe records a SHA-256 tree hash of the archive bytes. When a consumer installs, the CLI re-hashes what it received and compares. The server compares both reports server-side and returns one of: verified, divergent, or critical.
The guarantee: if anything between publish and install mutates the artifact — including us — the install fails loudly instead of succeeding silently.
"Nothing" isn't neutral
Copy-pasting skills from a repo, gist, or chat message with no static analysis and no integrity check is the most common path — and the most exposed. Snyk's ToxicSkills audit scanned 3,984 public skills and found a 13.4% critical-severity rate. The ClawHavoc incident showed a single actor uploading 354 malicious packages in under 6 hours.
If you install skills without verification, the question isn't whether you'll eventually install a malicious one — it's whether you'll notice when you do.