← Back to Skills Marketplace
shaymizuno

✅ AgentVerif — Scan. Sign. Verify. Control your distribution.

by shaymizuno · GitHub ↗ · v2.0.6 · MIT-0
cross-platform ✓ Security Clean
213
Downloads
0
Stars
0
Active Installs
9
Versions
Install in OpenClaw
/install agentverif
Description
SCAN → SIGN → VERIFY. Certify your skill, detect tampering, revoke instantly. Full control over how your skill is distributed and run. Requires AGENTVERIF_AP...
README (SKILL.md)

✅ AgentVerif — OWASP Scan + Cryptographic Verification

✅ AgentVerif Certified ⭐ Score: 100/100 · 🔑 AC-FA10-EB04 clawhub.ai/agentverif

AgentVerif is the trust layer for OpenClaw skills. Every skill you install or distribute is scanned against the OWASP LLM Top 10 and cryptographically verified — so you know it's authentic, unmodified, and safe to run.

The former AgentCop Sentinel is now AgentVerif — same battle-tested OWASP scanner, now with cryptographic signing, tamper detection, and license revocation built in.

Install in one line:

npx clawhub@latest install agentverif

Requires agentverif-sign (install once):

pip install agentverif-sign

This skill never installs packages automatically. You stay in control of your environment.

What AgentVerif does

Layer What it catches OWASP
SCAN Prompt injection, credential leaks, insecure output, tool-call injection LLM01, LLM02, LLM06, LLM08
SIGN Cryptographic hash + License ID — proves the skill is yours
VERIFY Tamper detection — catches modified versions before execution
REVOKE Kill a license instantly if the skill gets redistributed

Slash commands

/security scan [--last 1h|24h|7d] [--since ISO]

Scan current session for OWASP LLM Top 10 violations. Score 0–100. Below 70 = refused. Shows exact violations + fixes.

/security verify \x3Clicense_id_or_zip>

Verify a skill certificate against the agentverif.com registry. Returns: VERIFIED / TAMPERED / UNSIGNED / EXPIRED / REVOKED

/security sign \x3Czip_path>

Sign a skill ZIP. OWASP scan runs first (score ≥ 70 required). Injects SIGNATURE.json. Issues a License ID.

/security revoke \x3Clicense_id>

Revoke a license. Verification fails immediately for all buyers. Requires AGENTVERIF_API_KEY environment variable.

/security status

Reports that this skill is stateless — no local session data stored. Run /security scan to get a live score.

/security report

Full violation report grouped by severity (CRITICAL → ERROR → WARN). Reads from stdin — pipe session context or text to scan.

/security taint-check \x3Ctext>

Check a string for LLM01 prompt injection. Exit 1 if tainted.

/security output-check \x3Ctext>

Check agent output for LLM02 insecure patterns.

/security diff \x3Csession1> \x3Csession2>

Not supported — this skill is stateless and stores no session history.

/security badge

Get your ✅ AgentVerif Certified badge for your skill listing.

Privacy & data

Network calls: scan, sign, and verify transmit data to api.agentverif.com via the agentverif-sign Python package:

  • scan: sends the skill ZIP for OWASP analysis
  • sign: sends the skill ZIP to generate a certificate
  • verify: sends the license ID to check registry status

Do not scan or sign ZIPs containing secrets you cannot share with agentverif.com.

Local persistence: This skill itself writes no local files. The agentverif-sign package may cache scan results — see its source at github.com/trusthandoff/agentverif.

API key: revoke requires AGENTVERIF_API_KEY. Use a scoped key. Never store in plaintext. Rotate if exposed.

Source code: All behavior is auditable at github.com/trusthandoff/agentverif

Exit codes

Code Meaning
0 Clean — no violations, certificate valid
1 Violations detected or certificate invalid
2 Error — agentverif-sign not installed or bad arguments

Requirements

  • OpenClaw ≥ 0.1
  • Python ≥ 3.11
  • agentverif-sign >= 0.2.0: pip install agentverif-sign

This skill never auto-installs packages.

Built by agentverif.com Source: github.com/trusthandoff/agentverif

✅ AgentVerif Certified ⭐ Score: 100/100 · 🔑 AC-FA10-EB04 clawhub.ai/agentverif

Usage Guidance
This skill appears to do what it says: it runs a local regex-based OWASP-like scan and uses the agentverif-sign package to send ZIPs/licenses to api.agentverif.com for signing and verification. Before installing: (1) Verify the agentverif-sign package and the GitHub repo (github.com/trusthandoff/agentverif) are legitimate and recent; (2) Do NOT scan or sign ZIPs that contain secrets or private keys you cannot share with the service; (3) If you use revoke, create a minimally-scoped AGENTVERIF_API_KEY, store it securely (do not hardcode), and rotate if exposed; (4) Be aware signing will modify ZIPs (inject SIGNATURE.json) and agentverif-sign may cache results; (5) Note minor metadata inconsistencies (version numbers and env documentation) — confirm details on the project homepage before trusting certificates for distribution.
Capability Analysis
Type: OpenClaw Skill Name: agentverif Version: 2.0.6 The agentverif skill is a security utility designed to scan OpenClaw skills for OWASP LLM Top 10 violations and provide cryptographic signing/verification. It communicates with api.agentverif.com to perform these tasks, which is clearly documented in the SKILL.md and skill.py files. The implementation is transparent, lacks obfuscation, and includes explicit warnings regarding the handling of sensitive data during the scanning process. No malicious patterns or prompt injection attempts were identified.
Capability Tags
requires-walletrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
The name/description (scan, sign, verify, revoke) match the code and SKILL.md: the skill implements a local scanner and delegates signing/verification network calls to the agentverif-sign Python package. Requiring a helper package and occasionally an API key for revoke is proportionate to the stated purpose.
Instruction Scope
Instructions are explicit about behavior and network calls: scan/sign/verify send ZIPs or license IDs to api.agentverif.com via the agentverif-sign package. The SKILL.md repeatedly warns not to send ZIPs with secrets. This is expected for a signing/verification service, but it means users must avoid scanning ZIPs that contain sensitive secrets or private keys.
Install Mechanism
There is no automatic install; the skill requires the user to pip install agentverif-sign. No URLs or extracted archives are fetched by the skill itself. This is a low-risk, expected install pattern for a Python-backed skill, but users should verify the agentverif-sign package/source before installing.
Credentials
Only AGENTVERIF_API_KEY is mentioned as required for the revoke command; that is proportionate. Minor metadata inconsistency: registry metadata lists no required env vars while SKILL.md and package.json document AGENTVERIF_API_KEY (marked optional). This is a documentation mismatch but not a functional surprise.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It claims to be stateless; note that signing injects a SIGNATURE.json into a ZIP via the agentverif-sign package (so the ZIP itself is modified when signing). The skill does not auto-enable or modify other skills.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agentverif
  3. After installation, invoke the skill by name or use /agentverif
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.6
Badge at top of skill page + upgraded billboard with certified score and license ID
v2.0.5
Added AgentVerif Certified badge — Score: 100/100 · AC-FA10-EB04
v2.0.3
Added ✅ Protected by AgentVerif billboard to all outputs
v2.0.2
Bug fixes from post-publish testing
v2.0.1
Stateless skill.py (no local file writes), Privacy & data section added, AGENTVERIF_API_KEY declared, emoji updated per ClawHub reviewer feedback
v2.0.0
Upgraded from AgentCop Sentinel — added cryptographic signing, tamper detection, and license revocation via agentverif.com
v1.0.2
agentcop 1.0.2 Broadened detection examples: now highlights agent-to-agent messages and external content. Simplified badge management: replaced subcommands with a single `/security badge` command and directs users to the website for badge generation.
v1.0.1
AgentCop 1.0.1 - Initial release with core security monitoring features. - Added documentation (README.md, SKILL.md) detailing usage and command instructions. - Introduced Python skill script (skill.py) implementing security checks and reporting. - Included package metadata (package.json) for deployment and integration.
v1.0.0
AgentCop Security Skill – Initial Release - Monitors for OWASP LLM Top 10 security violations in real time via taint checks and policy breach alerts. - Provides /security status, /security report, and /security scan commands for detailed security assessments. - Reports agent fingerprints, trust scores, status, and violations clearly to users. - Automatic alerts require optional `agentcop-monitor` hook; commands work on demand regardless. - User-friendly error handling for missing installations and timeouts.
Metadata
Slug agentverif
Version 2.0.6
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 9
Frequently Asked Questions

What is ✅ AgentVerif — Scan. Sign. Verify. Control your distribution.?

SCAN → SIGN → VERIFY. Certify your skill, detect tampering, revoke instantly. Full control over how your skill is distributed and run. Requires AGENTVERIF_AP... It is an AI Agent Skill for Claude Code / OpenClaw, with 213 downloads so far.

How do I install ✅ AgentVerif — Scan. Sign. Verify. Control your distribution.?

Run "/install agentverif" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ✅ AgentVerif — Scan. Sign. Verify. Control your distribution. free?

Yes, ✅ AgentVerif — Scan. Sign. Verify. Control your distribution. is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ✅ AgentVerif — Scan. Sign. Verify. Control your distribution. support?

✅ AgentVerif — Scan. Sign. Verify. Control your distribution. is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ✅ AgentVerif — Scan. Sign. Verify. Control your distribution.?

It is built and maintained by shaymizuno (@shaymizuno); the current version is v2.0.6.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments