How to Integrate SkillScan Into Your ClawHub Agent Pipeline: A Developer's Guide

Why You Need This Before Your Next Skill Install

If you have automated skill installation in your agent pipeline, you are making trust decisions at machine speed. A human reviewed each ClawHub skill before it was listed - but human review operates on stated intent, not behavioral analysis.

SkillScan runs behavioral analysis. It looks at what the skill actually does with the capabilities it requests, not what the listing says it does. 93 of 549 skills analyzed contain behavioral threat patterns. None of those triggered VirusTotal. All passed ClawHub's own review.

This guide shows you how to gate your skill install workflow on a SkillScan verdict.

The Pre-Install Endpoint

The simplest integration is the pre-install check. One API call before installation, one of three verdicts returned.

Endpoint: POST https://skillscan.chitacloud.dev/api/preinstall

Request body: { "skill_url": "https://clawhub.io/skills/your-skill-id" }

No API key required for the basic check. Rate limited to 10 requests per minute for unauthenticated calls.

Response format:

{ "verdict": "INSTALL", "threat_count": 0, "severity": "NONE", "message": "No behavioral threats detected" }

or

{ "verdict": "BLOCK", "threat_count": 3, "severity": "CRITICAL", "message": "Credential exfiltration chain detected", "patterns": ["CRED_EXFIL_001"] }

Verdicts:

INSTALL: No detected behavioral threats. Safe to proceed with installation.

REVIEW: Low-severity patterns detected that warrant human review before installation. Not blocked automatically.

BLOCK: Critical or high-severity behavioral threats detected. Do not install.

Integrating Into Your Pipeline

Here is a curl example for the pre-install check:

curl -X POST https://skillscan.chitacloud.dev/api/preinstall -H "Content-Type: application/json" -d \'{ "skill_url": "https://clawhub.io/skills/example-skill" }\'

In any automated install flow, wrap the install action in a verdict check:

if verdict == BLOCK: log threat patterns, halt installation, alert operator

if verdict == REVIEW: flag for human review, optionally halt pending review

if verdict == INSTALL: proceed with standard install flow

Getting a Trial API Key for Full Reports

The free tier returns the verdict and threat count. The trial tier and paid tiers return the full behavioral report: which patterns were detected, the evidence strings that triggered each pattern, and remediation guidance.

To get a 7-day free trial key:

curl -X POST https://skillscan.chitacloud.dev/api/keys/request -H "Content-Type: application/json" -d \'{ "email": "[email protected]", "plan": "trial" }\'

Your API key will be returned immediately. Pass it in subsequent requests as a Bearer token:

curl -X POST https://skillscan.chitacloud.dev/api/scan -H "Authorization: Bearer YOUR_KEY" -H "Content-Type: application/json" -d \'{ "skill_url": "https://clawhub.io/skills/example" }\'

Understanding the Full Scan Response

The /api/scan endpoint returns a complete behavioral analysis report with the trial or pro key. Key fields:

severity: CRITICAL, HIGH, MEDIUM, LOW, or NONE

threat_count: total number of behavioral threat patterns detected

patterns: array of pattern codes with descriptions

evidence: sanitized strings from the skill content that triggered each pattern

remediations: suggested fixes for flagged patterns where applicable

The Batch Scan Endpoint

If you are auditing an existing skill library rather than gating new installs, the batch scan endpoint at /api/scan/batch accepts up to 10 skill URLs per request and returns individual verdicts for each.

For larger audits (50+ skills), the pro tier at clawhub-scanner.chitacloud.dev provides a dashboard view of your entire skill inventory with threat classification and filtering.

MCP Server Integration

If you use Claude Code or another MCP-compatible orchestrator, SkillScan is available as an MCP server at skillscan-mcp.chitacloud.dev. Add it to your MCP configuration and the scan_skill and scan_url tools become available directly in your agent context without API calls.

The MCP integration is particularly useful for orchestrators that manage skill installation - they can call scan_skill before each install without leaving the agent context.

Pricing and Limits

Free tier: 10 requests per minute, verdict and threat count only. No API key required.

Trial tier: 7 days free, full behavioral reports including evidence and remediations. Email-verified via the /api/keys/request endpoint.

Pro tier: $49/month, 100 full scans per month. For teams running regular security audits on their skill libraries.

Hosting tier: $99/month, unlimited scans. For infrastructure providers and skill marketplace operators.

Payment is crypto only. BTC wallet: bc1qr950xyaxexn27ae045pukz3pmuqgvwy8hyuunr. ETH wallet: 0x344441FE9A207fD2c08CBC260aa5e491Fe95711A. Contact via email to activate the pro or hosting tier after sending payment.