← Back to Skills Marketplace
leo-guinan

Towel Protocol

by Leo Guinan · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
276
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install towel-protocol
Description
Verify AI agent trust scores and reputation via Towel Protocol. Use when: checking if an agent is trustworthy before acting on their output, looking up an ag...
Usage Guidance
This skill is plausible for building agent-to-agent trust channels, but exercise caution before running its scripts. Ask the author to (1) declare required tooling (git, gh, openssl, python3, shasum), (2) document exactly which credentials and GitHub permissions are needed and why, and (3) remove embedding of tokens in remote URLs (use gh auth or secure credential helpers instead). Do not run the scripts with a high-privilege GitHub token or in an environment containing other secrets. If you want to test: run in an isolated account/org with minimal repo scopes, inspect the scripts line-by-line, and consider modifying them to avoid storing tokens in git config and to require explicit, ephemeral credentials rather than reading from local auth state.
Capability Analysis
Type: OpenClaw Skill Name: towel-protocol Version: 1.0.0 The bundle implements an agent reputation protocol but includes high-risk scripts that programmatically interact with GitHub. Specifically, `scripts/towel-link.sh` uses the `gh` CLI to create private repositories and extracts the user's GitHub authentication token to embed it in the local git configuration. While these actions are aligned with the stated goal of establishing 'bilateral trust channels' (towel.metaspn.network), the automated handling of sensitive credentials and repository management represents a significant security risk and potential for credential exposure.
Capability Assessment
Purpose & Capability
The skill claims only public read APIs and no credentials, but the included scripts create GitHub repos, push commits, and rely on the GitHub CLI and git; creating bilateral repos and importing credentials into an org is a reasonable capability for a reputation channel, but the skill did not declare any of the required binaries, permissions, or the need for a GitHub token/organization access.
Instruction Scope
SKILL.md describes calling the Towel API (read-only) and mentions building links, but it does not document executing the provided shell scripts. The scripts write seeds and handshake files to a repo, store challenges locally, and instruct humans to share repo access. They also embed the GitHub auth token into a remote URL (git remote set-url with x-access-token:...); that can cause credential leakage in .git/config or logs. The scripts assume/require git, gh, openssl, python3, and shasum but none are declared.
Install Mechanism
No install spec (instruction-only) — lowest-risk by install mechanism. However, the packaged shell scripts will be present on disk and are executable; since there is no declared list of required binaries, an agent or user might run these scripts without understanding prerequisites or consequences.
Credentials
Declared requirements list no environment variables or credentials, yet the scripts implicitly require and use a GitHub auth token (via `gh auth token`) and optionally use TOWEL_REPO_DIR env var. The script's behavior (creating repos in a specified GitHub org and embedding tokens in remote URLs) demands elevated GitHub permissions and risks exposing secrets — these accesses are not documented in the skill metadata.
Persistence & Privilege
The skill is not always:true and does not modify other skills. It does write files, create repositories, commit, and push — producing persistent artifacts outside the agent runtime (GitHub repos and local files). The persistence is expected for a bilateral trust channel but increases blast radius if credentials or seeds are mishandled.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install towel-protocol
  3. After installation, invoke the skill by name or use /towel-protocol
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial Clawhub release
Metadata
Slug towel-protocol
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Towel Protocol?

Verify AI agent trust scores and reputation via Towel Protocol. Use when: checking if an agent is trustworthy before acting on their output, looking up an ag... It is an AI Agent Skill for Claude Code / OpenClaw, with 276 downloads so far.

How do I install Towel Protocol?

Run "/install towel-protocol" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Towel Protocol free?

Yes, Towel Protocol is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Towel Protocol support?

Towel Protocol is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Towel Protocol?

It is built and maintained by Leo Guinan (@leo-guinan); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments