← Back to Skills Marketplace

Artifact Signing

Name: Artifact Signing
Author: rajaryan18

by Raj Aryan · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ Security Clean

270

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install artifact-signing

Description

A skill to sign artifacts using a digital certificate and private key.

README (SKILL.md)

\r \r

Artifact Signing Skill\r

\r This skill allows an AI agent to sign files, binaries, or any artifact using a PEM-encoded private key. It generates a detached signature file.\r \r

Dependencies\r

Python 3.x\r
cryptography library (pip install cryptography)\r \r

Tools\r

`sign_artifact`\r

\r Signs a given artifact with a private key.\r \r Arguments:\r \r

artifact_path: (Required) Absolute path to the file to be signed.\r
key_path: (Required) Absolute path to the PEM-encoded private key.\r
output_path: (Optional) Absolute path where the signature should be saved. Defaults to \x3Cartifact_path>.sig.\r \r Example Usage:\r \r

python c:\Docs\skills\artifact-signing\scripts\sign_artifact.py "C:\path	o\artifact.zip" "C:\path	o\private_key.pem"\r
```\r
\r
## Security Considerations\r
\r
- **Private Key Protection**: Never share your private key. Ensure the key file has restricted permissions.\r
- **Verification**: Always verify the signature using the corresponding public key before trusting an artifact.\r

Usage Guidance

This skill appears to be what it claims: a local artifact-signing utility. Before installing or using it: 1) Do not place production private keys where the agent or this skill can access them unless you explicitly intend it; prefer dedicated signing keys or an HSM/service for production signing. 2) The script expects an unencrypted PEM (password=None); if you require password-protected keys, modify the code to prompt for or accept a password, or use secure key storage. 3) Run and review the script in an isolated environment first (verify there is no unexpected network activity), and audit the code if you intend to use it for sensitive signing. 4) Ensure the 'cryptography' dependency is installed from a trusted source (pip from PyPI) and keep file permissions on private keys restrictive. If you want the skill to run autonomously, explicitly avoid granting it filesystem access to any sensitive key locations.

Capability Analysis

Type: OpenClaw Skill Name: artifact-signing Version: 1.0.0 The artifact-signing skill is a legitimate utility for generating detached digital signatures using RSA and the Python cryptography library. Analysis of scripts/sign_artifact.py and verify_skill.py shows no evidence of data exfiltration, network activity, or malicious intent; the code strictly performs local file operations as described in SKILL.md.

Capability Assessment

✓ Purpose & Capability

The name/description match the included scripts and examples: the sign_artifact.py signs a file with a PEM private key and the verify_skill.py runs a local test. There are no unrelated binaries, env vars, or config paths required.

✓ Instruction Scope

SKILL.md limits runtime actions to loading a local PEM private key, reading a specified artifact file, producing a detached signature, and advising verification. The provided scripts only operate on files you pass and do not contact external endpoints or read unrelated system files. (Note: sign_artifact.py expects an unencrypted private key — encrypted PEMs with passwords are not handled.)

✓ Install Mechanism

There is no automated install step and no downloads; the skill is instruction-only for a local Python script and asks the user to install the widely used 'cryptography' library via pip. No suspicious install URLs or archive extraction are present.

ℹ Credentials

The skill requests no environment variables or external credentials. It requires the user to supply a private key file path at runtime, which is appropriate for signing. However, supplying production signing keys to this skill (or letting the agent access a directory with such keys) is a sensitive choice — the script can sign any artifact presented to it, so key exposure risks must be considered.

✓ Persistence & Privilege

The skill does not request permanent/always-on presence, does not modify other skills or global agent settings, and contains no installation that persists code beyond the included files. Autonomous invocation is allowed by platform default but not accompanied by other red flags.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install artifact-signing
After installation, invoke the skill by name or use /artifact-signing
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of artifact-signing skill. - Provides a tool to sign files or artifacts using a PEM-encoded private key. - Generates detached signature files for artifacts. - Requires Python 3.x and the cryptography library. - Strongly emphasizes private key protection and signature verification best practices.

Metadata

Slug artifact-signing

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Artifact Signing?

A skill to sign artifacts using a digital certificate and private key. It is an AI Agent Skill for Claude Code / OpenClaw, with 270 downloads so far.

How do I install Artifact Signing?

Run "/install artifact-signing" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Artifact Signing free?

Yes, Artifact Signing is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Artifact Signing support?

Artifact Signing is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Artifact Signing?

It is built and maintained by Raj Aryan (@rajaryan18); the current version is v1.0.0.

More Skills