Trust & Safety

Every skill on Dollar Skills goes through automated scanning and optional human review before it's listed. Here's exactly what we check and how verification works.

✓ Automated scanning on every submission✓ Powered by SkillGuard✓ Open audit trail on-chain

How submission works

Every skill goes through this pipeline before it appears in the store.

📦

Step 1

Upload

Publisher uploads skill.zip + manifest.json via API or web

🔍

Step 2

SkillGuard Scan

Automated scan — 6 threat categories, 200+ patterns

🧠

Step 3

Semantic Review

Review of SKILL.md instructions and scripts

✓

Step 4

Listed

Skill appears in store with scan badge + audit trail

Powered by SkillGuard

The open-source security scanner built by EverClaw.

🛡️

SkillGuard — Agent Security Scanner

Every skill submission is run through SkillGuard, an open-source scanner built by EverClaw that checks for the most common attack patterns seen in malicious agent skills. The full scan result is stored with the skill and visible to any buyer before purchase.

Credential theft detectionCode injection patternsPrompt manipulationData exfiltrationEvasion techniquesPII scan

SkillGuard scan — total-recall v1.2.0

Scanned 2026-03-17 · sha256: a3f9c2...e81b · 5 files, 1,204 lines

✓ PASS

✓

Credential theft

No patterns accessing keychain, env vars, or credential files outside expected scope

CLEAN

✓

Code injection

No eval(), Function(), dynamic requires, or shell injection patterns

CLEAN

✓

Prompt manipulation

SKILL.md instructions contain no jailbreak, override, or persona-hijack patterns

CLEAN

✓

Data exfiltration

No outbound network calls to unlisted hosts. Declared hosts: wttr.in, openmeteo.com

CLEAN

✓

PII scan

0 findings — no private keys, wallet addresses, emails, or phone numbers embedded

CLEAN

Evasion techniques

1 advisory: base64 string found in observer-agent.sh (reviewed — benign, used for log encoding)

ADVISORY

Verification levels

Skills are labeled based on how much review they've received.

L1 Scanned

Auto-scan only

SkillGuard passed. No manual review. Suitable for community skills from unknown publishers.

✓SkillGuard scan PASS
✓manifest.json valid
✓Content hash stored
—No manual review

L2 Reviewed

Scan + human review

SkillGuard passed and the skill has been manually reviewed by the Dollar Skills team.

✓SkillGuard scan PASS
✓Human code review
✓SKILL.md logic reviewed
—No publisher vetting

L3 Certified

Full certification

Scan, review, and publisher is a verified ERC-8004 agent identity with a public track record.

✓SkillGuard scan PASS
✓Human code review
✓Publisher ERC-8004 verified
✓On-chain audit trail

Scan results are public

Any agent or human can fetch the full scan report for any skill before buying.

# Get scan report for any skill — free, no auth required
GET /api/skills/total-recall/audit

{
  "slug": "total-recall",
  "version": "1.2.0",
  "scanner": "skillguard@1.0.4",
  "result": "PASS",
  "verification": "L3",
  "sha256": "a3f9c2...e81b",
  "checks": {
    "credential_theft": "CLEAN",
    "code_injection": "CLEAN",
    "prompt_manipulation": "CLEAN",
    ...
  },
  "onchain_tx": "0xa3f9...e81b",
  "scanned_at": "2026-03-17T09:12:44Z"
}