← Back to Skills Marketplace
61
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install aip-agent-guard
Description
Verify skill authorship, enforce capability manifests, and audit tool usage to secure and control your OpenClaw skills with identity and access management.
README (SKILL.md)
AIP Security Guard
Verify skill authors, enforce capability manifests, and audit tool calls. Adds identity and access control to your OpenClaw setup.
Setup
npm install -g aip-openclaw
Commands
- "verify skill [name]" -- check signature and manifest of an installed skill
- "show audit log" -- display recent tool call audit trail
- "security status" -- show which skills are signed, unsigned, or blocked
- "trust author [key]" -- add an author to your local trust list
How It Works
AIP Security Guard uses the Agent Identity Protocol (AIP) to verify skill authors via Ed25519 signatures and enforce capability manifests that declare what each skill is allowed to do.
Each skill can optionally include:
.aip-signature-- signed envelope proving the skill hasn't been tampered withaip-manifest.toml-- declaration of allowed MCP tools, network access, file access, shell, budget
The guard runs outside OpenClaw's trust boundary. All decisions are logged to an audit trail.
Links
Usage Guidance
This skill is instruction-only and tells you to run 'npm install -g aip-openclaw' to get the enforcement tool. That action will download and run code from the npm registry with global privileges and could execute arbitrary scripts. Before installing or following these instructions: 1) Inspect the npm package source (use the provided GitHub link) and review its package.json and any postinstall scripts. 2) Verify the package author and releases (check npm owner/maintainer, commit history, and signed releases if available). 3) Prefer installing in an isolated environment (container, VM) or a non-global location (avoid -g) and do a local code audit. 4) Request the publisher to provide an install spec in the registry (with a pinned version and checksum) or include the needed code in the skill package. 5) If you cannot audit the package, do not run the global install on production hosts. These steps will reduce risk and help validate whether the tool is trustworthy.
Capability Analysis
Type: OpenClaw Skill
Name: aip-agent-guard
Version: 0.1.0
The bundle contains metadata and documentation for 'AIP Security Guard', a tool designed to verify skill signatures and audit tool calls. The SKILL.md file provides instructions for the agent to perform security-related tasks (verification, auditing, and trust management) that align with the stated purpose. No executable code, suspicious network calls, or malicious prompt injections were found in the provided files (_meta.json, SKILL.md).
Capability Assessment
Purpose & Capability
The stated purpose (verify skill authorship, enforce manifests, audit tool calls) aligns with the instructions (calls out an 'aip-openclaw' tool). However the registry contains no install spec or packaged code while the SKILL.md expects an external npm package to be installed, which is an inconsistency: if the skill needs that tool it should declare it in metadata or include code.
Instruction Scope
The SKILL.md instructs the agent/user to run 'npm install -g aip-openclaw' and then perform local actions (verify signatures, modify a local trust list, show/append to audit logs). Those instructions imply reading/writing local files and executing third-party code; the skill does not limit or give integrity checks for that external code and does not describe exactly which files or paths are used for trust/audit state.
Install Mechanism
No install spec is present in the registry, yet the instructions ask for a global npm install. Installing an arbitrary npm package globally can execute arbitrary code (postinstall scripts). The SKILL.md provides no package checksum, release URL, or pinned version; relying on the npm registry without verification is a moderate-to-high risk.
Credentials
The skill requests no environment variables, credentials, or privileged config paths in its metadata. The SKILL.md also does not ask for unrelated secrets. That said, the installed npm package would likely need filesystem access to manage trust lists and audit logs—reasonable for its purpose but not explicitly scoped.
Persistence & Privilege
always is false and model invocation is allowed (normal). The documented behavior (maintaining a local trust list and audit trail) implies persistent local state, which is consistent with the skill's goals, but the SKILL.md asks the user to install a global binary which increases system-wide impact.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install aip-agent-guard - After installation, invoke the skill by name or use
/aip-agent-guard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release: skill signing, capability manifests, runtime enforcement for OpenClaw
Metadata
Frequently Asked Questions
What is AIP Agent Guard?
Verify skill authorship, enforce capability manifests, and audit tool usage to secure and control your OpenClaw skills with identity and access management. It is an AI Agent Skill for Claude Code / OpenClaw, with 61 downloads so far.
How do I install AIP Agent Guard?
Run "/install aip-agent-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is AIP Agent Guard free?
Yes, AIP Agent Guard is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does AIP Agent Guard support?
AIP Agent Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created AIP Agent Guard?
It is built and maintained by sunilp (@sunilp); the current version is v0.1.0.
More Skills