🆕 We pulled metadata on all 52,652 ClawHub packages. Only 22% are "clean".

trentclaw Quickstart: Audit Your OpenClaw Setup in 2 Minutes

Trent AI Team
By Trent AI Team
Jul 2026 • 2 min read

ClawHub runs VirusTotal across its own catalogue, and only 22% of its 52,652 packages come back clean. Two-fifths are flagged suspicious. None of that surfaces when you go to install a skill, and signature scanning cannot read what a skill instructs your agent to do. So if you’re running OpenClaw with skills you didn’t write, you’re running code nobody has really audited.

trentclaw is a skill that audits it: your OpenClaw configuration, your installed and public ClawHub skills, your permissions, and your custom code.

Here’s the full setup, start to first finding.

Prerequisites

  • A running OpenClaw instance you can access
  • The openclaw CLI on the machine where OpenClaw runs
  • A Trent account

Step 1: Generate an API key

Log in to Trent and open the OpenClaw API Key page. Click Generate API Key.
The OpenClaw API Key page in Trent, with the Generate API Key button

⚠️ The key is shown once. Put it in your password manager before you close the tab.

Keys expire after 30 days

When yours does, click Renew on the same page. Click the API key and type it to confirm ownership, then scroll to Extend by and choose a duration between 7 and 90 days. Click Extend key.

The Renew dialog showing the Extend by duration selector

Step 2: Install the skill

openclaw skills install @trent-ai-release/trentclaw

Install trentclaw openclaw security skill: openclaw skills install @trent-ai-release/trentclaw

Step 3: Connect the key

openclaw config set skills.entries.trent-openclaw-security.apiKey YOUR_TRENT_API_KEY

Then restart the gateway so the skill picks up the key:

openclaw gateway restart

Restart your openclaw gateway so the skill picks up the API key: openclaw gateway restart

Step 4: Run your first audit

Start a new agent session and ask:

Audit my OpenClaw setup for security risks using trent

The audit runs in three phases: a configuration audit first, then a skill-packaging preview that shows you the exact file list and waits for your OK before anything is uploaded, then a deep analysis of the uploaded skills to surface issues that chain across components.

On privacy: secrets (API keys, tokens, passwords, connection strings) are redacted locally before anything leaves your machine, and you approve the upload file list yourself. Env files, private keys, certificates, and SSH keys are excluded from upload entirely.

Digging into the results

Findings surface directly inside OpenClaw, in the session you’re already working in. Once the audit has run, ask follow-ups:

What security vulnerabilities has Trent found in my configuration?
Show me the critical findings from the Trent security assessment

Findings are conversational, so treat it like a security engineer sitting in your agent: ask why something is flagged, what to change, and what to check next.

Re-run the audit whenever you add a skill or change permissions. Your setup keeps moving, so the audit is not a one-time gate.

Troubleshooting

401 Unauthorized. Your key likely expired. Keys last 30 days. Regenerate it on the OpenClaw API Key page (or click Renew before it lapses), then re-run the openclaw config set command from Step 3 and restart the gateway.

Lost the key. There’s no way to view it again, it’s shown once at generation. Generate a new one and please save it according to your process.

Skill not showing. Start a new agent session, skills load at session start, so an already-running session won’t see a fresh install.

More

trentclaw is open source. The skill lives at clawhub.ai/trent-ai-release/trentclaw and the code at github.com/trnt-ai/trent-openclaw-security-assessment.

The registry numbers above come from our teardown of all 52,652 ClawHub packages.