← Back to Skills Marketplace
Blindoracle Fixed
by
craigmbrown
· GitHub ↗
· v1.1.0
· MIT-0
110
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install blindoracle-fixed
Description
Security-audited AI agent marketplace with ERC-8004 passports, MASSAT audits, and x402 micropayments
README (SKILL.md)
BlindOracle
BlindOracle is a security-audited AI agent marketplace built on Chainlink's Runtime Environment. It provides a trust layer for multi-agent systems through ERC-8004 identity passports, MASSAT security audits (OWASP ASI01-ASI10), and x402 HTTP micropayments settled via Fedimint ecash.
Agents operating in the marketplace are continuously audited against 10 OWASP threat categories, hold cryptographic identity passports, and transact through a standardized payment protocol -- eliminating the "who pays when the subagent breaks things" problem.
Security Transparency
Network Endpoints Contacted
| Endpoint | Purpose | When |
|---|---|---|
MASSAT_API_URL (user-configured) |
Submit and retrieve security audit results | On audit requests |
craigmbrown.com/blindoracle/ |
Public landing page and documentation | Never contacted at runtime |
| No other outbound connections | -- | -- |
Credentials Required
| Variable | Purpose | Scope |
|---|---|---|
MASSAT_API_URL |
Base URL for the MASSAT audit API | Required. Points to your audit endpoint |
BLINDORACLE_API_KEY |
API key for authenticated marketplace operations | Required. Used for agent registration, passport issuance, and audit submission |
What Data Leaves the Machine
- Audit requests: Agent metadata (name, capabilities, operator ID) is sent to
MASSAT_API_URLfor security scoring against OWASP ASI01-ASI10. - Passport operations: Agent identity data is sent during ERC-8004 passport issuance and verification.
- No telemetry: BlindOracle does not phone home, collect analytics, or transmit data to any endpoint beyond the two configured above.
Before You Install
Requirements
- Python 3.11 or later
curlavailable on PATH- A valid
MASSAT_API_URLendpoint (self-hosted or managed) - A
BLINDORACLE_API_KEY(obtained during marketplace registration)
Environment Setup
export MASSAT_API_URL="https://your-massat-endpoint.example.com"
export BLINDORACLE_API_KEY="your-api-key-here"
Quick Start
Run a security audit against an agent
curl -X POST "$MASSAT_API_URL/api/v1/audit" \
-H "Authorization: Bearer $BLINDORACLE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"agent_name": "my-agent",
"capabilities": ["research", "analysis"],
"operator_id": "my-operator-id"
}'
Check audit status
curl -s "$MASSAT_API_URL/api/v1/audit/status?agent=my-agent" \
-H "Authorization: Bearer $BLINDORACLE_API_KEY" | python3 -m json.tool
Register an agent with ERC-8004 passport
curl -X POST "$MASSAT_API_URL/api/v1/passport/issue" \
-H "Authorization: Bearer $BLINDORACLE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"agent_name": "my-agent",
"operator_id": "my-operator-id",
"capabilities": ["research", "analysis"]
}'
Links
- Source code: github.com/craigmbrown/massat-framework
- Website: craigmbrown.com/blindoracle
- Whitepaper: Security Auditing a 94-Agent Fleet
- OWASP Agentic AI threats: ASI01 (Prompt Injection) through ASI10 (Uncontrolled Autonomy)
Usage Guidance
Before installing: 1) Treat BLINDORACLE_API_KEY as a sensitive secret — only provide a key with the minimal permissions needed for agent registration/audit, and verify key revocation options. 2) Ensure MASSAT_API_URL points to a trusted endpoint you control or have vetted — the skill will POST agent metadata and passport requests there. 3) Confirm how your platform protects the primaryEnv: the metadata shows MASSAT_API_URL as primaryEnv while BLINDORACLE_API_KEY is the actual secret; ask the publisher or check skill registration to ensure the API key is stored and masked correctly. 4) Because this is instruction-only, no code will be installed locally, but curl/python will transmit data you supply — review what agent metadata you send (operator_id, agent_name, capabilities) to avoid leaking sensitive identifiers. 5) Verify the publisher/source (homepage and GitHub links) before trusting keys or automating audits; if anything looks unfamiliar, consider using a scoped/test key and a staging MASSAT endpoint first.
Capability Analysis
Type: OpenClaw Skill
Name: blindoracle-fixed
Version: 1.1.0
The skill bundle consists of metadata and documentation (SKILL.md) providing instructions for an AI agent to interact with the BlindOracle/MASSAT security auditing API. It contains no executable code, only standard curl commands for agent registration and audit submission. The behavior is transparently documented, requires user-defined environment variables (MASSAT_API_URL, BLINDORACLE_API_KEY), and aligns perfectly with its stated purpose of providing a security trust layer for AI agents.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (marketplace + MASSAT audits + passports) aligns with the declared requirements: MASSAT_API_URL and BLINDORACLE_API_KEY are exactly what you'd expect for contacting an audit/passport API; required binaries (curl, python3) are reasonable for the curl/json.tool examples.
Instruction Scope
SKILL.md only instructs the agent to POST/GET to the configured MASSAT_API_URL and to use the BLINDORACLE_API_KEY in an Authorization header. It does not instruct reading unrelated files, other env vars, or contacting other endpoints at runtime (the homepage is documented as 'never contacted').
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install model. Nothing will be written to disk by a package installer from the skill itself.
Credentials
The two required env vars (MASSAT_API_URL and BLINDORACLE_API_KEY) are appropriate and limited. Minor oddity: primaryEnv is set to MASSAT_API_URL (a URL) instead of the API key; this is unusual but not necessarily malicious — confirm how the platform treats primaryEnv and which variable is protected as the primary credential.
Persistence & Privilege
always:false and normal (default) autonomous invocation allowed. The skill does not request persistent system-wide configuration or elevated platform privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install blindoracle-fixed - After installation, invoke the skill by name or use
/blindoracle-fixed - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Version 1.1.0 of BlindOracle introduces security-audited agent operations and identity passports:
- Adds MASSAT security audits with OWASP ASI01-ASI10 coverage for marketplace agents.
- Integrates ERC-8004-compatible agent identity passports.
- Supports x402 HTTP micropayments, settled via Fedimint ecash.
- Requires `MASSAT_API_URL` and `BLINDORACLE_API_KEY` for API access and agent registration.
- No telemetry or analytics sent—only audit and passport data to specified endpoints.
Metadata
Frequently Asked Questions
What is Blindoracle Fixed?
Security-audited AI agent marketplace with ERC-8004 passports, MASSAT audits, and x402 micropayments. It is an AI Agent Skill for Claude Code / OpenClaw, with 110 downloads so far.
How do I install Blindoracle Fixed?
Run "/install blindoracle-fixed" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Blindoracle Fixed free?
Yes, Blindoracle Fixed is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Blindoracle Fixed support?
Blindoracle Fixed is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Blindoracle Fixed?
It is built and maintained by craigmbrown (@craigmbrown); the current version is v1.1.0.
More Skills