← Back to Skills Marketplace
Verigent
by
extropyconsulting
· GitHub ↗
· v0.1.2
511
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install verigent
Description
Verify the reputation of any AI agent or skill before transacting. Now includes isnad-style chain-of-custody provenance for skills. Powered by Verigent — the...
Usage Guidance
This skill appears to do what it says (reputation + provenance checks), but there are red flags to consider before installing or invoking it autonomously: 1) Clarify the environment variables — SKILL.md requires X_AGENT_ID and wallet addresses, but the registry metadata claims none; don't supply private keys or unrelated secrets (DB passwords, tokens). 2) The documentation suggests using `npx -y @verigent/mcp-server` — dynamic npm installs execute remote code; only run that after auditing the package (publisher, versions, source, hashes). 3) Understand reporting behavior: the skill can POST transaction reports and may ask for payment proofs in headers — know what data will be sent to https://verigent.link and avoid including sensitive context unless necessary. 4) Verify the homepage/privacy policy and confirm the service operator and package ownership (npm/place where @verigent/mcp-server is published). 5) If you need higher assurance, ask the publisher to: (a) update registry metadata to list the declared env vars, (b) provide a pinned install spec (exact package and checksum), and (c) publish the MCP server source for review. If you cannot validate those, treat the skill as untrusted and avoid running any dynamic installs or providing secrets.
Capability Analysis
Type: OpenClaw Skill
Name: verigent
Version: 0.1.2
The skill is classified as suspicious due to two key vulnerabilities, not malicious intent. First, the SKILL.md instructs the agent to 'Inform the user and ask whether to proceed without verification' if the reputation API returns an error. This creates a security bypass vulnerability, allowing transactions to proceed without verification if the service is unavailable. Second, the README.md's agent integration section suggests running `npx -y @verigent/mcp-server`, which introduces a supply chain risk by executing a remote npm package, even if it's for setup rather than direct skill execution. No evidence of intentional data exfiltration, arbitrary command execution, or other malicious behavior was found.
Capability Assessment
Purpose & Capability
The name/description (reputation + provenance) match the API endpoints and decision rules in SKILL.md. Requesting an AgentID and on-chain wallet addresses is coherent for identity and optional payment proofs. However, the registry metadata above lists no required environment variables while SKILL.md declares X_AGENT_ID, X402_WALLET_ADDRESS, and SOLANA_WALLET_ADDRESS — that mismatch is an inconsistency that should be clarified. README also documents many server-side secrets (Redis, Neo4j) which are backend requirements, not agent-side, but their presence increases surface-area complexity.
Instruction Scope
The runtime instructions are primarily HTTP calls to https://verigent.link and decision logic for handling results (in-scope). But the SKILL.md / README recommend running an MCP integration via `npx -y @verigent/mcp-server`, which would dynamically fetch and execute a remote npm package at runtime — this expands the attack surface beyond simple API queries and allows remote code execution on the agent host. The instructions also prescribe automatic reporting (POST /report) after transactions, which is in-scope but could transmit interaction metadata to an external service; the skill asks agents to include payment proofs in headers when charging the free-tier is exceeded.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk by itself. However, the README/SKILL.md recommend using npx to run an MCP server package (@verigent/mcp-server). npx will fetch and execute code from the npm registry on demand; because there is no pinned install spec, that is a potential runtime execution risk and should be treated as an installation step that requires review (verify package ownership, published files, and integrity).
Credentials
SKILL.md declares X_AGENT_ID and two wallet address env vars which are reasonable for identity/payment headers — these are proportionate for a reputation/payment-aware API. But the registry metadata provided with the skill reported 'Required env vars: none', creating an incoherence. The README also documents many backend secrets (UPSTASH_REDIS_REST_TOKEN, NEO4J_PASSWORD, etc.) that are not needed for an agent client but may confuse users into over-sharing secrets. Ensure only the minimal AgentID/wallet address (public addresses) are provided — never provide private keys or DB credentials to the agent.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not declare any required config path or attempt to modify other skills. There is no built-in persistent presence or forced inclusion. The main persistent risk is the optional npx MCP server recommendation that could run a long-lived process if an operator chooses to install it.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install verigent - After installation, invoke the skill by name or use
/verigent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
- Added homepage and privacy policy fields to SKILL.md for improved documentation.
- Declared contract addresses for x402 (Base) and Solana USDC.
- Specified required environment variables: X_AGENT_ID, X402_WALLET_ADDRESS, and SOLANA_WALLET_ADDRESS.
- No changes to core functionality or endpoints.
v0.1.1
Verigent 0.1.1 introduces skill provenance checks and expands usage guidance:
- Added chain-of-custody (isnad-style) provenance for skills, allowing users to verify authorship, audits, and ratings before use.
- Documented a broader set of API tools, including free skill and provenance queries.
- Updated pricing: 100 free checks/day per AgentID, then $0.002 per query. Skill audits cost $5.00 USDC.
- Provided explicit instructions on when and how to use reputation and provenance checks for secure transactions.
- Outlined wallet/payment requirements for both Base Mainnet (x402) and Solana.
- Added referral program details and clarified decision rules for trust score interpretations.
v0.1.0
Initial release of the Verigent Agent Trust & Reputation Skill.
- Automatically checks counterparty agent reputation before risky actions (delegation, payments, data sharing).
- Integrates with the Verigent API to fetch trust scores, risk levels, and action recommendations.
- Reports successful handshakes and violations to a central graph.
- Requires x402 wallet (Skyfire / Privy) and Base Mainnet USDC for payments.
- Four main capabilities: reputation check, detailed trust breakdown, log handshakes, and submit violation reports.
Metadata
Frequently Asked Questions
What is Verigent?
Verify the reputation of any AI agent or skill before transacting. Now includes isnad-style chain-of-custody provenance for skills. Powered by Verigent — the... It is an AI Agent Skill for Claude Code / OpenClaw, with 511 downloads so far.
How do I install Verigent?
Run "/install verigent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Verigent free?
Yes, Verigent is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Verigent support?
Verigent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Verigent?
It is built and maintained by extropyconsulting (@extropyconsulting); the current version is v0.1.2.
More Skills