功能描述

Manage skill trust by staking USDC bonds, paying micro-fees for verified skills, reporting malicious skills, and participating in decentralized governance vi...

使用说明 (SKILL.md)

Arc Security - Agent Trust Protocol

Name: Arc Security - Agent Trust Protocol
Author: shaivpidadi

Chain-agnostic security infrastructure for OpenClaw skills. Auditors stake USDC to vouch for skill safety, users pay micro-fees to access verified skills, and malicious skills get slashed through decentralized governance -- all powered by CCTP on Arc.

Installation

clawhub install arc-security

Configuration

Set the following environment variables:

Variable	Required	Description
`ARC_RPC_URL`	Yes	Arc testnet RPC endpoint (default: `https://testnet-rpc.arc.network`)
`CONTRACT_ADDRESS`	Yes	Deployed SkillSecurityRegistry contract address
`PRIVATE_KEY`	Yes	Wallet private key (for signing transactions)
`X402_SERVER_URL`	Yes	x402 payment server URL
`ETH_RPC_URL`	No	Ethereum Sepolia RPC (for cross-chain operations)
`BASE_RPC_URL`	No	Base Sepolia RPC (default: `https://sepolia.base.org`)
`ARB_RPC_URL`	No	Arbitrum Sepolia RPC (default: `https://sepolia-rollup.arbitrum.io/rpc`)

Commands

`check` -- Check skill trust status

Query on-chain bond status, auditor count, usage stats, and computed trust score for any skill.

clawhub arc-security check \x3Cskill_id>

Example output:

Skill: youtube-downloader
├─ Bonded: 100.00 USDC by 3 auditors
├─ Used: 1,250 times
├─ Trust Score: 75/100
├─ Status: Safe to use
└─ Created: 2025-06-15 14:30:00

Trust Score is calculated as:

40% from bond amount (capped at 100 USDC = full weight)
40% from usage count (capped at 1,000 uses = full weight)
20% from auditor count (5 points per auditor)
Flagged skills receive a -50 penalty

`use` -- Pay and download a skill

Pays the 0.10 USDC usage fee via x402 and downloads the skill package. Automatically selects the cheapest payment path based on your wallet balances.

clawhub arc-security use \x3Cskill_id>

Payment chain selection priority:

Arc Testnet (direct -- no bridging fees)
Base Sepolia (via CCTP)
Arbitrum Sepolia (via CCTP)
Ethereum Sepolia (via CCTP)

`bond` -- Stake USDC to vouch for a skill

Stake USDC as a security bond to vouch for a skill's safety. If the skill is found malicious, 50% of your stake is slashed.

clawhub arc-security bond \x3Cskill_id> \x3Camount> \x3Csource_chain>

Arguments:

skill_id -- Skill identifier
amount -- Amount of USDC to stake (e.g. 50)
source_chain -- Chain to pay from (ethereum-sepolia, base-sepolia, arbitrum-sepolia, arc-testnet)

Example:

clawhub arc-security bond youtube-downloader 50 base-sepolia

`report` -- Report a malicious skill

Submit a claim that a skill is malicious. Requires a 1 USDC anti-spam deposit (refunded if the claim is validated).

clawhub arc-security report \x3Cskill_id> --evidence \x3Cipfs_hash>

Example:

clawhub arc-security report bad-skill --evidence QmXyz123...

Opens a 72-hour voting window for auditors.

`vote-claim` -- Vote on a pending claim

Cast a vote on whether a reported skill is malicious. Only wallets that have staked on any skill are eligible to vote. Vote weight is based on total stake and audit track record.

clawhub arc-security vote-claim \x3Cclaim_id> \x3Csupport|oppose>

Vote weight formula: sqrt(totalStaked) * (successfulAudits / totalAudits)

`claim-earnings` -- Withdraw accumulated fees

Withdraw your share of usage fees earned as an auditor. Fees are split 70% to auditors (proportional to stake) and 30% to the insurance pool.

clawhub arc-security claim-earnings \x3Cdestination_chain>

Supported destination chains:

arc-testnet (direct transfer)
ethereum-sepolia, base-sepolia, arbitrum-sepolia (via CCTP)

Supported Chains

Chain	CCTP Domain	Payment	Bonding	Earnings
Arc Testnet	100	Direct	Direct	Direct
Ethereum Sepolia	0	CCTP	CCTP	CCTP
Base Sepolia	6	CCTP	CCTP	CCTP
Arbitrum Sepolia	3	CCTP	CCTP	CCTP

Fee Structure

Action	Cost	Distribution
Use a skill	0.10 USDC	70% auditors, 30% insurance pool
Submit a claim	1.00 USDC deposit	Refunded if claim validated
Guilty verdict	50% of bond slashed	80% to victim, 20% to insurance

Architecture

User (any chain)
  │
  ├── CCTP burn ──► Arc Testnet ──► SkillSecurityRegistry (bonds, fees, claims)
  │                                        │
  └── x402 GET ──► Payment Server ◄────────┘ (verifies payment on-chain)
                       │
                       └──► Skill package (ZIP)

SkillSecurityRegistry (Solidity on Arc) -- Holds bonds, processes fees, manages claims/votes/slashing
x402 Payment Server (Node.js) -- Serves skill packages behind HTTP 402 paywall, verifies on-chain payments
This skill (Python CLI) -- User-facing commands that orchestrate CCTP transfers and contract calls

License

MIT

安全使用建议

What to consider before installing: - This skill needs a wallet private key (PRIVATE_KEY) and will sign/send transactions (bonding, voting, claiming, authorizing usage). Only use a key with minimal funds and no long‑term access to critical assets (prefer a throwaway/test wallet or hardware wallet where possible). - The x402 server you configure will be able to serve ZIP packages that this skill will download and extract locally. Only point X402_SERVER_URL at servers you trust; inspect downloaded ZIPs before executing any installed code. - The package metadata is inconsistent: skill.json does not list PRIVATE_KEY as a required config even though SKILL.md and the code expect it. That mismatch suggests the metadata or packaging may be incomplete — proceed cautiously and review the code yourself. - The CCTP attestation flow in the client contains placeholders (simulated attestation) and many testnet zero-addresses; the implementation may be incomplete or non-production. Do not rely on it for real mainnet funds without auditing. - If you decide to test: use testnet or a disposable environment, verify CONTRACT_ADDRESS and RPC endpoints, and monitor outbound network calls. Prefer to review / vet the x402 server and SkillSecurityRegistry contract code before trusting bond/vote flows. If you want, I can extract and highlight the exact lines that (a) read PRIVATE_KEY and sign transactions, and (b) download+extract ZIPs so you can quickly audit the dangerous spots.

功能分析

Type: OpenClaw Skill Name: arc-security Version: 1.0.1 This skill is classified as suspicious due to two major security risks, despite its stated benign purpose. Firstly, it explicitly requires the user's `PRIVATE_KEY` as an environment variable for signing blockchain transactions (mentioned in `SKILL.md`, `README.md`, and used in `arc_contract.py` and `cctp_client.py`). This exposes a critical secret to the agent's environment, making it highly vulnerable to theft or misuse. Secondly, the `x402_client.py` module is designed to download and extract arbitrary ZIP files from a remote `X402_SERVER_URL`, posing a significant supply chain risk where a compromised server could deliver malicious payloads to the agent.

能力评估

ℹ Purpose & Capability

Name/description and code align: the skill implements an on‑chain SkillSecurityRegistry client, CCTP transfers and an x402 paywall client to download skill packages. Requiring RPC URLs, CONTRACT_ADDRESS and a signing key (PRIVATE_KEY) is consistent with on‑chain write operations. However, skill.json's config omits PRIVATE_KEY even though SKILL.md and the code require it — this manifest mismatch is a red flag that the metadata and runtime requirements are not fully synchronized.

⚠ Instruction Scope

Runtime instructions and code perform sensitive actions outside simple queries: the CLI will sign and send on‑chain transactions using PRIVATE_KEY, and the x402 client downloads arbitrary ZIP packages from the configured x402 server and extracts them into the current working directory. Automatically extracting remote archives without validation (and installing other skills) increases risk because a malicious x402 server can deliver arbitrary code. SKILL.md requires PRIVATE_KEY and contract config which the code uses; the instruction scope matches the purpose but includes high‑impact operations (key usage + arbitrary code installation).

ℹ Install Mechanism

No install spec (instruction+code only), dependencies are standard (web3, requests, python-dotenv). The highest installation risk comes from runtime behavior: request_skill downloads a zip and extracts it locally (extract all). The code does not validate or sandbox downloaded packages. The package itself was delivered with source files included (no external archive downloads during install).

⚠ Credentials

The skill legitimately needs RPC endpoints and a private key for signing transactions and cross‑chain transfers. That said, PRIVATE_KEY is highly sensitive and the manifest (skill.json) fails to declare it as a required config item, while SKILL.md and the code require it — an inconsistency. Also the skill will use that key to sign arbitrary transactions (bond, vote, authorize usage), so you must only use a key you control and limit funds on it. The default x402 server URL is a placeholder (skills.example.com) — using an untrusted x402 server would allow it to control what gets downloaded.

ℹ Persistence & Privilege

The skill is not marked always:true and does not request platform‑wide persistence. It will, however, write downloaded skill packages to disk and extract them (installing other skills), which is expected for a skill installer but increases attack surface. It does not modify other skills' configurations directly in the code shown, but installing arbitrary packages can effectively modify agent behavior.

版本历史

v1.0.1

- Major documentation overhaul with expanded usage instructions and protocol details - Added comprehensive command reference for skill trust checking, usage payment, bonding, reporting, voting, and earnings withdrawal - Updated environment variable configuration table with default values and optional cross-chain support - Detailed architecture, fee structure, and supported chains documentation - Improved trust score and governance process explanations

v1.0.0

Arc Security 1.0.0 initial release - Introduces chain-agnostic Agent Trust Protocol for OpenClaw skills. - Provides installation instructions with Clawhub. - Details configuration using environment variables for Arc integration. - Released under the MIT license.

元数据

Slug arc-security

版本 1.0.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题