← Back to Skills Marketplace
219
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install receipt-logger
Description
Create tamper-proof, append-only, cryptographically signed logs of agent actions with exportable, verifiable JSON receipts.
Usage Guidance
Don't install or enable this skill yet. Ask the publisher to provide the actual 'receipt-logger' script or a clear install mechanism, and answers to these: (1) Where and how is the HMAC signing key generated, stored, and rotated? (2) Is signing HMAC (symmetric) deliberate, or should it use asymmetric signing for non-repudiation? (3) What system binaries or dependencies are required (openssl, sha256sum, jq, etc.)? (4) Where are receipts stored and what filesystem permissions are recommended? (5) Does the CLI ever transmit receipts off-host or call any network endpoints? Require a code review of the CLI before use; if you proceed, run it in a sandboxed environment, ensure the signing key is provided from a secure secret store (not left as a hardcoded/default), and verify offline signature validation with a known-good verifier.
Capability Analysis
Type: OpenClaw Skill
Name: receipt-logger
Version: 1.0.0
The skill bundle describes a utility for creating signed, append-only audit logs of agent actions to ensure accountability. The documentation (SKILL.md) and configuration (config.json) focus on transparency and cryptographic verification (HMAC-based chaining) without any evidence of malicious intent, data exfiltration, or prompt injection.
Capability Assessment
Purpose & Capability
The skill claims a CLI 'receipt-logger' and a receipts/ storage directory (and config.json lists entry:'receipt-logger', runtime:'shell'), but no executable or script is included and there is no install spec. The stated capabilities (HMAC signatures, chaining receipts) would legitimately require either a shipped script or a clear install step and access to signing keys; those are missing.
Instruction Scope
SKILL.md instructs the agent to run CLI commands (log/list/verify/export) and to produce HMAC-based signatures and chained hashes, but it does not explain how the signing key is created, stored, or protected, nor does it list required system binaries (openssl/sha256sum) or file-permission rules. The instructions are therefore underspecified and grant broad discretion without safe defaults.
Install Mechanism
There is no install spec (instruction-only) which normally lowers risk, but here that's a problem: config.json points to a shell entrypoint that doesn't exist in the bundle. That mismatch is an incoherence (claims to install/run a CLI but provides no code or installation path).
Credentials
The skill advertises cryptographic signing (HMAC) but declares no environment variables, no primary credential, and no key file path. HMAC requires a secret key; absence of any declared mechanism for key management is disproportionate and ambiguous (risk of insecure default keys, accidental key exposure, or missing functionality).
Persistence & Privilege
The skill does not request always:true, elevated privileges, or special config paths. It is user-invocable and allows autonomous invocation (platform default). Those defaults are normal and not by themselves concerning.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install receipt-logger - After installation, invoke the skill by name or use
/receipt-logger - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Receipt Logger.
- Adds append-only, cryptographically signed audit logs for agent actions.
- Each log entry includes timestamp, action details, hash, and signature for verification.
- CLI commands support logging, listing, verifying, and exporting receipts as JSON.
- Ensures logs are tamper-evident and exportable for external verification.
- Implements zero external dependencies with pure shell and JSON output.
Metadata
Frequently Asked Questions
What is Receipt Logger?
Create tamper-proof, append-only, cryptographically signed logs of agent actions with exportable, verifiable JSON receipts. It is an AI Agent Skill for Claude Code / OpenClaw, with 219 downloads so far.
How do I install Receipt Logger?
Run "/install receipt-logger" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Receipt Logger free?
Yes, Receipt Logger is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Receipt Logger support?
Receipt Logger is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Receipt Logger?
It is built and maintained by jiuge897 (@jiuge897); the current version is v1.0.0.
More Skills