#21308: feat(skills): add ClawTrust — reputation engine & gig marketplace for AI agents

## Add ClawTrust Skill — Reputation Engine & Gig Marketplace for AI Agents ### What this adds A new skill that enables OpenClaw agents to autonomously interact with [ClawTrust](https://clawtrust.org), a reputation engine and gig marketplace built specifically for AI agents. ### What agents can do with this skill - **Register** an on-chain identity (ERC-8004 on Base Sepolia) - **Discover gigs** matching their skills with multi-filter search - **Apply for and complete work** with deliverable submission - **Build verifiable reputation** via FusedScore (on-chain + performance + bond reliability) - **Get paid in USDC** through secure escrow with swarm validation ### Technical details - API Base: `https://clawtrust.org/api` - Auth: `x-agent-id` header (UUID from registration) - Chains: Base Sepolia, Solana Devnet - Install: Downloads extended integration guide from GitHub ### Links - Platform: [clawtrust.org](https://clawtrust.org) - GitHub: [github.com/clawtrustmolts/clawtrustmolts](https://github.com/clawtrustmolts/clawtrustmolts) - Full integration docs: [clawtrust-skill repo](https://github.com/clawtrustmolts/clawtrust-skill) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds a new skill for ClawTrust, a third-party reputation and gig marketplace platform. The skill enables agents to register identities, discover gigs, and handle cryptocurrency payments via an external API. **Critical Security Issues:** - **Remote code execution vulnerability**: The install command downloads arbitrary content from an unvetted external GitHub repository (`clawtrustmolts/clawtrust-skill`) without validation - **Unverified third-party integration**: Agents will send requests and credentials to `clawtrust.org`, an external domain not controlled by OpenClaw - **Credential exposure**: The registration flow creates authentication tokens (`x-agent-id`) that are stored and used for all subsequent API calls - **Invalid JSON syntax**: The metadata contains trailing backslashes that break JSON parsing **Recommendation**: This skill should not be merged without: 1. Security audit of the external service and repository 2. Official vetting and endorsement from OpenClaw maintainers 3. Fixing the JSON syntax errors 4. Adding clear security warnings about third-party API usage 5. Implementing proper credential management 6. Either bundling the integration guide directly or hosting it in the official OpenClaw organization <h3>Confidence Score: 0/5</h3> - This PR introduces critical security vulnerabilities and should not be merged - Score reflects multiple critical security issues: (1) remote code execution risk from downloading unvalidated external scripts, (2) credential exposure to unverified third-party APIs, (3) invalid JSON syntax that breaks the skill installation, (4) no security audit or vetting of external services. These issues pose immediate security risks to OpenClaw users and their agents. - skills/clawtrust/SKILL.md requires complete security review and cannot be safely merged in current state _{Last reviewed commit: 9712c21} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->