← Back to Skills Marketplace
130
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zap1-zcash-attestation
Description
Provides cryptographic attestation for AI actions with Zcash-anchored proofs, policy enforcement, session tracking, and verifiable proof checkpoints.
Usage Guidance
This plugin will automatically hash and transmit message metadata and some content-derived hashes to an external ZAP1 service (default pay.frontiercompute.io). That behavior matches its attestation purpose but has privacy and trust implications: 1) Only configure the plugin with an API key you control (prefer a key from a self‑hosted ZAP1 instance if possible). 2) Avoid providing a highly privileged API key unless you trust the backend operator; admin tools can create API keys and list webhooks. 3) Be aware that hashed data can sometimes be reversed (short or predictable messages), so do not assume hashing alone preserves privacy. 4) The SKILL.md suggests getting a key via messaging a third party — verify the operator's identity and repository provenance (the SKILL references frontiercompute.io and a GitHub repo; confirm those links actually host the code and maintainers). 5) The package includes a package-lock.json with many extra dev dependencies — verify the published package contents and ensure no unexpected binaries are shipped. If you need this capability but want lower risk, host your own ZAP1 backend and only give the plugin a write key for that instance. If you cannot verify the backend/operator, treat this plugin as potentially leaking metadata and avoid enabling the write hooks.
Capability Analysis
Type: OpenClaw Skill
Name: zap1-zcash-attestation
Version: 0.2.1
The skill bundle provides a Zcash attestation layer that hashes agent activity and anchors it to the blockchain for auditability. It uses hooks (src/hooks.ts) to automatically hash and send event metadata to an external API (frontiercompute.io), and provides tools (src/tools.ts) for proof verification and protocol interaction. The behavior is transparently documented and aligned with the stated purpose, with no evidence of malicious execution or unauthorized data exfiltration.
Capability Assessment
Purpose & Capability
The declared purpose (Zcash attestation, policy enforcement, session tracking) matches the code: the package registers hooks to attest messages/events and exposes tools to query/submit attestation data. The plugin expects a configured apiKey and agentId (via plugin config) for write operations, which is consistent with the stated functionality.
Instruction Scope
The runtime hooks automatically hash and POST message contents, channel IDs, sender IDs, session keys and other metadata to an external API (default: https://pay.frontiercompute.io). While the plugin hashes content before sending, hashes of short or predictable inputs can be brute-forced; some endpoints (e.g., memo decode) accept raw hex bodies. SKILL.md suggests obtaining API keys via messaging a third party (Signal) — an unusual operational detail that increases trust requirements. The hooks also inject periodic checkpoint messages into conversations that include links to the remote API.
Install Mechanism
No installer or external binary downloads are declared (instruction-only install path). Source files are included in the package (dist/ and src/). There is a package-lock.json with many (dev) dependencies not visible in package.json (Anthropic/AWS-related entries); that is odd but not an immediate code-execution risk by itself — still worth verifying the lockfile provenance and that no unexpected native modules/binaries are included.
Credentials
The plugin requires an API key and agentId in its plugin config (not environment variables). Those credentials are proportional for a service that writes attestation events. However, some tools (create_api_key, list_webhooks, create_event) appear to perform administrative or write operations — they require a privileged API key. Only provide such a key if you trust the operator or self-host the backend.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges. It registers hooks within the agent runtime (expected for this functionality) and does not appear to mutate other plugins' configurations.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zap1-zcash-attestation - After installation, invoke the skill by name or use
/zap1-zcash-attestation - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
First Zcash skill. 8 hooks, 14 tools, policy enforcement, session attestation.
Metadata
Frequently Asked Questions
What is ZAP1 - Zcash Attestation?
Provides cryptographic attestation for AI actions with Zcash-anchored proofs, policy enforcement, session tracking, and verifiable proof checkpoints. It is an AI Agent Skill for Claude Code / OpenClaw, with 130 downloads so far.
How do I install ZAP1 - Zcash Attestation?
Run "/install zap1-zcash-attestation" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ZAP1 - Zcash Attestation free?
Yes, ZAP1 - Zcash Attestation is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ZAP1 - Zcash Attestation support?
ZAP1 - Zcash Attestation is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ZAP1 - Zcash Attestation?
It is built and maintained by SkndrS (@skndrs); the current version is v0.2.1.
More Skills