← 返回 Skills 市场
536
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install archon-keymaster
功能描述
Core Archon DID toolkit - identity management, verifiable credentials, encrypted messaging (dmail), Nostr integration, file encryption/signing, aliasing, aut...
使用说明 (SKILL.md)
Archon Keymaster - Core DID Toolkit
Core toolkit for Archon decentralized identities (DIDs). Manages identity lifecycle, encrypted communication, cryptographic operations, and authorization.
Related skills:
archon-vault— Vault management and encrypted distributed backupsarchon-cashu— Cashu ecash with DID-locked tokens
Capabilities
- Identity Management - Create, manage multiple DIDs, recover from mnemonic
- Verifiable Credentials - Create schemas, issue/accept/revoke credentials
- Encrypted Messaging (Dmail) - Send/receive end-to-end encrypted messages between DIDs
- Nostr Integration - Derive Nostr keypairs from your DID (same secp256k1 key)
- File Encryption - Encrypt files for specific DIDs
- Digital Signatures - Sign and verify files with your DID
- DID Aliasing - Friendly names for DIDs (contacts, schemas, credentials)
- Authorization - Challenge/response verification between DIDs
- Groups - Create and manage DID groups for access control and multi-party operations
- Polls - Cryptographic voting with transparent or secret ballots
- Assets - Store and retrieve content-addressed assets in the registry
Prerequisites
- Node.js installed (for
npx @didcid/keymaster) - Environment:
~/.archon.envwith:ARCHON_WALLET_PATH- path to your wallet file (required)ARCHON_PASSPHRASE- wallet encryption passphrase (required)ARCHON_GATEKEEPER_URL- gatekeeper endpoint (optional, defaults to public)
- All created automatically by
create-id.sh
Security Notes
This skill handles cryptographic identity operations:
-
Passphrase in environment:
ARCHON_PASSPHRASEis stored in~/.archon.envfor non-interactive script execution. The file should bechmod 600. -
Sensitive files accessed:
~/.archon.wallet.json— encrypted wallet containing DID private keys~/.archon.env— wallet encryption passphrase
-
Network: Data is encrypted before transmission to Archon gatekeeper/hyperswarm. Only intended recipients can decrypt.
-
Key recovery: Your 12-word mnemonic is the master recovery key. Store it offline, never in digital form.
Quick Start
First-Time Setup
./scripts/identity/create-id.sh [wallet-path]
Creates your first DID, generates passphrase, saves to ~/.archon.env.
- Default wallet location:
~/.archon.wallet.json - You can specify a custom path:
./scripts/identity/create-id.sh ~/my-wallet.json - Write down your 12-word mnemonic - it's your master recovery key.
Load Environment
All scripts require ~/.archon.env to be configured. Simply run:
source ~/.archon.env
The environment file sets ARCHON_WALLET_PATH and ARCHON_PASSPHRASE. Scripts will error if these are not set.
Identity Management
Create Additional Identity
./scripts/identity/create-additional-id.sh \x3Cname>
Create pseudonymous personas or role-separated identities (all share same mnemonic).
List All DIDs
./scripts/identity/list-ids.sh
Switch Active Identity
./scripts/identity/switch-id.sh \x3Cname>
Recovery
For disaster recovery and vault restore operations, see the archon-backup skill.
Verifiable Credential Schemas
Create and manage schemas for verifiable credentials.
Create Schema
./scripts/schemas/create-schema.sh \x3Cschema-file.json>
Create a credential schema from a JSON file.
Example schema (proof-of-human.json):
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$credentialContext": [
"https://www.w3.org/ns/credentials/v2",
"https://archetech.com/schemas/credentials/agent/v1"
],
"$credentialType": [
"VerifiableCredential",
"AgentCredential",
"ProofOfHumanCredential"
],
"name": "proof-of-human",
"description": "Verifies human status",
"properties": {
"credence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"description": "Confidence level (0-1) that subject is human"
}
},
"required": ["credence"]
}
./scripts/schemas/create-schema.sh proof-of-human.json
# Returns: did:cid:bagaaiera4yl4xi...
List Your Schemas
./scripts/schemas/list-schemas.sh
Lists all schemas you own.
Get Schema
./scripts/schemas/get-schema.sh \x3Cschema-did-or-alias>
Retrieve schema definition by DID or alias.
Verifiable Credentials
Issue, accept, and manage verifiable credentials.
Issuing Credentials (3-step process)
1. Bind Credential to Subject
./scripts/credentials/bind-credential.sh \x3Cschema-did-or-alias> \x3Csubject-did-or-alias>
Creates a bound credential template file for the subject.
Example:
./scripts/credentials/bind-credential.sh proof-of-human-schema alice
# Creates: bagaaierb...BOUND.json (subject DID without 'did:cid:' prefix)
2. Fill in Credential Data
Edit the .BOUND.json file and fill in the credentialSubject data:
{
"credentialSubject": {
"id": "did:cid:bagaaierb...",
"credence": 0.97
}
}
3. Issue Credential
./scripts/credentials/issue-credential.sh \x3Cbound-file.json>
Signs and encrypts the credential. Returns the credential DID. The underlying @didcid/keymaster command may save output files - refer to Keymaster documentation for exact file output behavior.
Example:
./scripts/credentials/issue-credential.sh bagaaierb...BOUND.json
# Returns credential DID: did:cid:bagaaierc...
Accepting Credentials
./scripts/credentials/accept-credential.sh \x3Ccredential-did>
Accept and save a credential issued to you.
Example:
./scripts/credentials/accept-credential.sh did:cid:bagaaierc...
Managing Credentials
List Your Credentials
./scripts/credentials/list-credentials.sh
Lists all credentials you've received.
List Issued Credentials
./scripts/credentials/list-issued.sh
Lists all credentials you've issued to others.
Get Credential
./scripts/credentials/get-credential.sh \x3Ccredential-did-or-alias>
Retrieve full credential details.
Publishing & Revoking
Publish Credential
./scripts/credentials/publish-credential.sh \x3Ccredential-did>
Add credential to your public DID manifest (makes it visible to others).
Revoke Credential
./scripts/credentials/revoke-credential.sh \x3Ccredential-did>
Revoke a credential you issued (invalidates it).
Complete Example: Issuing Proof-of-Human
# 1. Create schema
./scripts/schemas/create-schema.sh proof-of-human.json
# Returns: did:cid:bagaaiera4yl4xi...
# 2. Add alias for convenience
./scripts/aliases/add-alias.sh proof-of-human-schema did:cid:bagaaiera4yl4xi...
# 3. Bind credential to Alice
./scripts/credentials/bind-credential.sh proof-of-human-schema alice
# Creates: bagaaierb...BOUND.json (alice's DID without prefix)
# 4. Edit file, set credence: 0.97
# 5. Issue credential
./scripts/credentials/issue-credential.sh bagaaierb...BOUND.json
# Returns: did:cid:bagaaierc...
# 6. Alice accepts it
./scripts/credentials/accept-credential.sh did:cid:bagaaierc...
# 7. Alice publishes to her manifest
./scripts/credentials/publish-credential.sh did:cid:bagaaierc...
Encrypted Messaging (Dmail)
End-to-end encrypted messages between DIDs with attachment support.
Send Message
./scripts/messaging/send.sh \x3Crecipient-did-or-alias> \x3Csubject> \x3Cbody> [cc-did...]
Examples:
./scripts/messaging/send.sh alice "Meeting" "Let's sync tomorrow"
./scripts/messaging/send.sh did:cid:bag... "Update" "Status report" did:cid:bob...
Check Inbox
./scripts/messaging/refresh.sh # Poll for new messages
./scripts/messaging/list.sh # List inbox
./scripts/messaging/list.sh unread # Filter unread
Read Message
./scripts/messaging/read.sh \x3Cdmail-did>
Reply/Forward/Archive
./scripts/messaging/reply.sh \x3Cdmail-did> \x3Cbody>
./scripts/messaging/forward.sh \x3Cdmail-did> \x3Crecipient-did> [body]
./scripts/messaging/archive.sh \x3Cdmail-did>
./scripts/messaging/delete.sh \x3Cdmail-did>
Attachments
./scripts/messaging/attach.sh \x3Cdmail-did> \x3Cfile-path>
./scripts/messaging/get-attachment.sh \x3Cdmail-did> \x3Cattachment-name> \x3Coutput-path>
Nostr Integration
Derive Nostr identity from your DID - same secp256k1 key, two protocols.
Prerequisites
Install nak CLI:
curl -sSL https://raw.githubusercontent.com/fiatjaf/nak/master/install.sh | sh
Derive Nostr Keys
./scripts/nostr/derive-nostr.sh
Outputs nsec, npub, and hex pubkey (derived from m/44'/0'/0'/0/0).
Save Keys
mkdir -p ~/.clawstr
echo "nsec1..." > ~/.clawstr/secret.key
chmod 600 ~/.clawstr/secret.key
Publish Nostr Profile
echo '{
"kind": 0,
"content": "{\"name\":\"YourName\",\"about\":\"Your bio. DID: did:cid:...\"}"
}' | nak event --sec $(cat ~/.clawstr/secret.key) \
wss://relay.ditto.pub wss://relay.primal.net wss://relay.damus.io wss://nos.lol
Update DID with Nostr Identity
npx @didcid/keymaster set-property YourIdName nostr \
'{"npub":"npub1...","pubkey":"\x3Chex-pubkey>"}'
File Encryption & Signatures
Encrypt Files
./scripts/crypto/encrypt-file.sh \x3Cinput-file> \x3Crecipient-did-or-alias>
./scripts/crypto/encrypt-message.sh \x3Cmessage> \x3Crecipient-did-or-alias>
Returns encrypted DID (stored on-chain/IPFS). Only recipient can decrypt.
Decrypt Files
./scripts/crypto/decrypt-file.sh \x3Cencrypted-did> \x3Coutput-file>
./scripts/crypto/decrypt-message.sh \x3Cencrypted-did>
Sign Files (Proof of Authorship)
./scripts/crypto/sign-file.sh \x3Cfile.json>
Important: File must be JSON. Adds proof section with signature.
Verify Signatures
./scripts/crypto/verify-file.sh \x3Cfile.json>
Shows who signed it, when, and whether content was tampered with.
DID Aliasing
Friendly names for DIDs - use "alice" instead of did:cid:bagaaiera...
Add Alias
./scripts/aliases/add-alias.sh \x3Calias> \x3Cdid>
Examples:
./scripts/aliases/add-alias.sh alice did:cid:bagaaiera...
./scripts/aliases/add-alias.sh proof-of-human-schema did:cid:bagaaiera4yl4xi...
./scripts/aliases/add-alias.sh backup-vault did:cid:bagaaierab...
Resolve Alias
./scripts/aliases/resolve-did.sh \x3Calias-or-did>
Pass-through safe (returns DID unchanged if you pass a DID).
List/Remove Aliases
./scripts/aliases/list-aliases.sh
./scripts/aliases/remove-alias.sh \x3Calias>
Note: Aliases work in most Keymaster commands and all encryption/messaging scripts.
Asset Management
Store and retrieve assets (files, images, documents, JSON data) in the distributed registry. Assets are content-addressed (DIDs) and support binary data via base64 encoding.
List Assets
./scripts/assets/list-assets.sh
Lists all asset DIDs in the registry.
Create Assets
From JSON Data (inline)
./scripts/assets/create-asset.sh '{"type":"document","title":"My Doc","content":"..."}'
From JSON File
./scripts/assets/create-asset-json.sh document.json
From File (any type)
./scripts/assets/create-asset-file.sh document.pdf application/pdf
Encodes file as base64 with metadata (filename, content-type).
From Image
./scripts/assets/create-asset-image.sh avatar.png
Auto-detects image type (png/jpg/gif/webp/svg) and encodes with metadata.
Retrieve Assets
Get Asset (raw JSON)
./scripts/assets/get-asset.sh did:cid:bagaaiera...
Returns raw asset data.
Get Asset as JSON
./scripts/assets/get-asset-json.sh did:cid:bagaaiera...
Pretty-prints asset data.
Get File Asset
./scripts/assets/get-asset-file.sh did:cid:bagaaiera... [output-path]
Decodes base64 and saves to disk. Auto-detects filename if no output path provided.
Get Image Asset
./scripts/assets/get-asset-image.sh did:cid:bagaaiera... [output-path]
Decodes base64 and saves image. Auto-detects filename if no output path provided.
Update Assets
Update with JSON Data
./scripts/assets/update-asset.sh did:cid:bagaaiera... '{"updated":true}'
Update with JSON File
./scripts/assets/update-asset-json.sh did:cid:bagaaiera... updated.json
Update with File
./scripts/assets/update-asset-file.sh did:cid:bagaaiera... newdoc.pdf application/pdf
Update with Image
./scripts/assets/update-asset-image.sh did:cid:bagaaiera... newavatar.png
Transfer Assets
./scripts/assets/transfer-asset.sh did:cid:bagaaiera... did:cid:bagaaierat...
Transfer asset ownership to another DID.
Use Cases
- Skill Packages: Store SKILL.md + scripts as signed assets
- Profile Media: Avatar images, banners
- Documents: PDFs, markdown files, archives
- Data Sets: JSON datasets, configuration files
- Shared Resources: Transfer assets between DIDs for collaboration
Groups
Manage collections of DIDs for access control, multi-party operations, and organizational structure.
Create Group
./scripts/groups/create-group.sh \x3Cgroup-name>
Creates a group and automatically aliases it by name.
Examples:
./scripts/groups/create-group.sh research-team
./scripts/groups/create-group.sh archetech-devs
Add/Remove Members
./scripts/groups/add-member.sh \x3Cgroup> \x3Cmember-did-or-alias>
./scripts/groups/remove-member.sh \x3Cgroup> \x3Cmember-did-or-alias>
Examples:
./scripts/groups/add-member.sh research-team did:cid:bagaaiera...
./scripts/groups/add-member.sh devs alice
./scripts/groups/remove-member.sh devs alice
List Groups
./scripts/groups/list-groups.sh
Lists all groups owned by your current identity.
Get Group Details
./scripts/groups/get-group.sh \x3Cgroup-did-or-alias>
Shows group metadata and membership.
Test Membership
./scripts/groups/test-member.sh \x3Cgroup> [member]
If member is omitted, tests whether your current identity is in the group.
Examples:
./scripts/groups/test-member.sh research-team # Am I in this group?
./scripts/groups/test-member.sh research-team alice # Is alice in this group?
Use Cases
- Access control - Encrypt files for a group, all members can decrypt
- Team management - Organize DIDs by role or project
- Multi-party workflows - Define who can participate in group operations
Authorization
Challenge/response flow for verifying a DID controls its private key. Used for agent-to-agent authentication, access control, and proof-of-identity workflows.
Create a Challenge
# Create a basic challenge
./scripts/auth/create-challenge.sh
# Create a challenge as a specific DID alias
./scripts/auth/create-challenge.sh --alias myDID
# Create a challenge from a file
./scripts/auth/create-challenge.sh challenge-template.json
# Create a challenge tied to a specific credential
./scripts/auth/create-challenge-cc.sh did:cid:bagaaiera...
Output: a challenge DID (e.g., did:cid:bagaaiera...) that the responder must sign.
Create a Response
CHALLENGE="did:cid:bagaaiera..."
./scripts/auth/create-response.sh "$CHALLENGE"
Output: a response DID containing a signed proof.
Verify a Response
RESPONSE="did:cid:bagaaiera..."
./scripts/auth/verify-response.sh "$RESPONSE"
Output:
{
"challenge": "did:cid:...",
"credentials": [],
"requested": 0,
"fulfilled": 0,
"match": true,
"responder": "did:cid:..."
}
match: true means the response is valid and cryptographically verified.
Complete Authorization Flow
# Challenger creates a challenge
CHALLENGE=$(./scripts/auth/create-challenge.sh)
# Responder creates a response (proves they control their DID)
RESPONSE=$(./scripts/auth/create-response.sh "$CHALLENGE")
# Challenger verifies the response
./scripts/auth/verify-response.sh "$RESPONSE"
# → {"match": true, "responder": "did:cid:...", ...}
Polls
Cryptographically verifiable voting with support for transparent or secret ballots. Voters are added directly to polls (no separate roster required).
Create Poll Template
./scripts/polls/create-poll-template.sh
Outputs a v2 template JSON:
{
"version": 2,
"name": "poll-name",
"description": "What is this poll about?",
"options": ["yes", "no", "abstain"],
"deadline": "2026-03-01T00:00:00.000Z"
}
Create Poll
./scripts/polls/create-poll.sh \x3Cpoll-file.json> [options]
Creates a poll from a JSON template file. Returns poll DID.
Options:
--alias TEXT- DID alias for the poll--registry TEXT- Registry URL (default: hyperswarm)
Example:
# Create poll template
./scripts/polls/create-poll-template.sh > my-poll.json
# Edit poll (set name, description, options, deadline)
vi my-poll.json
# Create the poll
./scripts/polls/create-poll.sh my-poll.json
# Returns: did:cid:bagaaiera...
Manage Voters
Add, remove, or list eligible voters for a poll:
# Add a voter
./scripts/polls/add-poll-voter.sh \x3Cpoll-did> \x3Cvoter-did>
# Remove a voter
./scripts/polls/remove-poll-voter.sh \x3Cpoll-did> \x3Cvoter-did>
# List all eligible voters
./scripts/polls/list-poll-voters.sh \x3Cpoll-did>
Vote in Poll
./scripts/polls/vote-poll.sh \x3Cpoll-did> \x3Cvote-index>
Cast a vote in a poll. Returns a ballot DID.
Arguments:
poll-did- DID of the pollvote-index- Vote number: 0 = spoil, 1-N = option index
Examples:
# View poll first to see options
./scripts/polls/view-poll.sh did:cid:bagaaiera...
# Options: 1=yes, 2=no, 3=abstain
# Cast a vote for "yes" (option 1)
./scripts/polls/vote-poll.sh did:cid:bagaaiera... 1
# Returns: did:cid:bagaaierballot...
# Spoil ballot (vote 0)
./scripts/polls/vote-poll.sh did:cid:bagaaiera... 0
Ballot Workflow
For distributed voting (voters not directly connected to poll owner):
# Voter creates and sends ballot
BALLOT=$(./scripts/polls/vote-poll.sh "$POLL" 1)
./scripts/polls/send-ballot.sh "$BALLOT" "$POLL"
# Poll owner receives and adds ballot
./scripts/polls/update-poll.sh "$BALLOT"
# View ballot details
./scripts/polls/view-ballot.sh "$BALLOT"
Send Poll Notice
Notify all voters about a poll:
./scripts/polls/send-poll.sh \x3Cpoll-did>
Creates a notice DID that voters can use to find and vote in the poll.
View Poll
./scripts/polls/view-poll.sh \x3Cpoll-did>
View poll details including options (with indices), deadline, and (if published) results.
Publish Poll Results
Two options for publishing results:
Secret ballots (default):
./scripts/polls/publish-poll.sh \x3Cpoll-did>
Publishes aggregate results while hiding individual votes.
Transparent ballots:
./scripts/polls/reveal-poll.sh \x3Cpoll-did>
Publishes results with individual ballots visible (who voted for what).
Unpublish Poll Results
./scripts/polls/unpublish-poll.sh \x3Cpoll-did>
Remove published results from a poll.
Complete Polling Example
# 1. Create poll template
./scripts/polls/create-poll-template.sh > team-vote.json
# 2. Edit poll:
# {
# "version": 2,
# "name": "proposal-vote",
# "description": "Should we adopt the new proposal?",
# "options": ["approve", "reject", "defer"],
# "deadline": "2026-03-01T00:00:00.000Z"
# }
# 3. Create the poll
POLL=$(./scripts/polls/create-poll.sh team-vote.json)
echo "Poll created: $POLL"
# 4. Add eligible voters
./scripts/polls/add-poll-voter.sh "$POLL" did:cid:alice...
./scripts/polls/add-poll-voter.sh "$POLL" did:cid:bob...
./scripts/polls/add-poll-voter.sh "$POLL" did:cid:carol...
# 5. Notify voters
./scripts/polls/send-poll.sh "$POLL"
# 6. Members vote (1=approve, 2=reject, 3=defer)
./scripts/polls/vote-poll.sh "$POLL" 1 # Alice votes approve
./scripts/polls/vote-poll.sh "$POLL" 2 # Bob votes reject
./scripts/polls/vote-poll.sh "$POLL" 1 # Carol votes approve
# 7. View current status
./scripts/polls/view-poll.sh "$POLL"
# 8. After deadline, publish results (hiding who voted what)
./scripts/polls/publish-poll.sh "$POLL"
# OR publish transparently
./scripts/polls/reveal-poll.sh "$POLL"
Use Cases
- Governance decisions - DAO-style voting with verifiable results
- Team consensus - Anonymous feedback or transparent decision-making
- Multi-agent coordination - Agents voting on shared resources
- Access control - Voting to add/remove group members
Advanced Usage
Multiple Identities (Pseudonymous Personas)
./scripts/identity/create-additional-id.sh pseudonym
./scripts/identity/create-additional-id.sh work-persona
./scripts/identity/switch-id.sh pseudonym
Use cases:
- Separate personal/work identities
- Anonymous participation
- Role-based access control
Dmail Message Format
Dmails are JSON:
{
"to": ["did:cid:recipient1", "did:cid:recipient2"],
"cc": ["did:cid:cc-recipient"],
"subject": "Subject line",
"body": "Message body",
"reference": "did:cid:original-message"
}
Direct Keymaster commands:
npx @didcid/keymaster create-dmail message.json
npx @didcid/keymaster send-dmail \x3Cdmail-did>
npx @didcid/keymaster file-dmail \x3Cdmail-did> "inbox,important"
Signature Verification
Signed files include proof:
{
"data": {"your": "content"},
"proof": {
"type": "EcdsaSecp256k1Signature2019",
"created": "2026-02-10T20:41:26.323Z",
"verificationMethod": "did:cid:bagaaiera...#key-1",
"proofValue": "wju2GCn0QweP4bH6..."
}
}
Security Notes
Cryptographic Security
- Mnemonic is master key - Store offline, write down, never digital
- Passphrase encrypts wallet - Protects wallet.json on disk
- Aliases are local - Not shared, fully decentralized
- Dmail is end-to-end encrypted - Only sender/recipients can read
- Signatures are non-repudiable - Can't deny creating valid signature
- Backups persist - As long as any hyperswarm node retains them
Data Access Disclosure
This skill accesses sensitive data by design:
| Data | Scripts | Purpose |
|---|---|---|
~/.archon.wallet.json |
All scripts | Contains encrypted private keys |
~/.archon.env |
All scripts | Contains ARCHON_PASSPHRASE for non-interactive use |
~/.clawstr/secret.key |
Nostr scripts | Stores derived Nostr private key |
Environment Variables
The following are set in ~/.archon.env:
ARCHON_WALLET_PATH- Path to wallet fileARCHON_PASSPHRASE- Wallet decryption passphrase (sensitive!)ARCHON_GATEKEEPER_URL- Optional, defaults to public gatekeeper
Important: ~/.archon.env contains your passphrase in plaintext for script automation. Ensure:
chmod 600 ~/.archon.env # Owner read/write only
Network Transmission
Scripts connect to:
https://archon.technology- Public gatekeeper (default)localhost:4224- Local gatekeeper (if configured)- Hyperswarm DHT - Distributed storage network
All transmitted data is encrypted. No plaintext secrets leave your machine
Troubleshooting
Wallet/Passphrase Issues
"Cannot read wallet":
source ~/.archon.env
ls -la ~/clawd/wallet.json
"Permission denied":
chmod 600 ~/.archon.env
Encryption/Signing
"Cannot decrypt":
- Ensure message was encrypted for YOUR DID
- Check passphrase is correct
"Signature verification failed":
- File modified after signing
- Signer's DID may be revoked
Dmail
"Messages not arriving":
./scripts/messaging/refresh.sh # Poll for new messages
"Recipient can't decrypt":
- Use correct recipient DID (not alias on their side)
References
- Archon documentation: https://github.com/archetech/archon
- Keymaster reference: https://github.com/archetech/archon/tree/main/keymaster
- W3C DID specification: https://www.w3.org/TR/did-core/
安全使用建议
This skill appears to do what it claims (a local DID/key management toolkit), but it handles highly sensitive secrets and uses npx to invoke @didcid/keymaster (which will fetch/execute code from the npm registry). Before installing or running: 1) verify the provenance of the package and repository (there's no homepage listed and source is 'unknown'); 2) audit the @didcid/keymaster package or prefer installing it locally from a pinned, reviewed artifact instead of using npx; 3) protect ~/.archon.env (chmod 600) and consider using an interactive passphrase or an HSM/agent-specific secret store rather than a plaintext env file; 4) if you must use a remote gatekeeper, verify its URL and trustworthiness; 5) run the scripts in an isolated environment (container or dedicated machine) until you have audited the code. If you want a higher-confidence verdict, provide the upstream repository or signed package checksum so provenance and supply-chain can be verified.
功能分析
Type: OpenClaw Skill
Name: archon-keymaster
Version: 0.1.4
This skill is classified as suspicious due to the presence of a remote code execution (RCE) vulnerability and inherent high-risk sensitive data handling. The `SKILL.md` instructs users to execute `curl -sSL ... | sh` from a third-party GitHub repository (`fiatjaf/nak`), which allows arbitrary code execution from an external source. Additionally, the skill explicitly handles and stores highly sensitive cryptographic data, including passphrases and private keys, in local files (`~/.archon.env`, `~/.archon.wallet.json`, `~/.clawstr/secret.key`), and performs `npm install` of third-party packages in `scripts/nostr/derive-nostr.sh`, introducing supply chain risks. While these actions are part of the skill's stated purpose, the RCE vulnerability and the critical nature of the data handled elevate the risk beyond benign, despite no clear evidence of intentional malicious behavior.
能力评估
Purpose & Capability
Name/description (DID toolkit, credentials, encrypted messaging, Nostr, file crypto, groups/polls) match the provided scripts and SKILL.md. Requested binaries (node, npx, jq, openssl) and env vars (ARCHON_WALLET_PATH, ARCHON_PASSPHRASE, ARCHON_GATEKEEPER_URL) are what the scripts need.
Instruction Scope
SKILL.md and the scripts consistently instruct the agent to create and source ~/.archon.env, read/write a wallet file (default ~/.archon.wallet.json), and invoke npx @didcid/keymaster for operations. The instructions require storing the wallet passphrase in ~/.archon.env (documented), which is sensitive but corresponds to non-interactive scripting needs.
Install Mechanism
There is no install spec in the registry, but the skill bundles many shell scripts. Runtime relies heavily on npx @didcid/keymaster (remote package execution via npm). Using npx implies fetching/executing code from the package registry at runtime — a moderate supply-chain risk compared with purely local binaries.
Credentials
Requested env vars are proportional to the stated purpose (wallet path, passphrase, gatekeeper URL). However, the skill persists ARCHON_PASSPHRASE in plaintext in ~/.archon.env by design; this is necessary for non-interactive use but increases the risk if the file or machine is compromised.
Persistence & Privilege
Skill does not request always:true and makes no changes to other skills or global agent config. It writes only its own environment file and wallet by design; these are expected for a local key management tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install archon-keymaster - 安装完成后,直接呼叫该 Skill 的名称或使用
/archon-keymaster触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.4
- Added `ARCHON_GATEKEEPER_URL` as an optional environment variable in metadata requirements.
- Updated metadata to include `jq` and `openssl` as optional binaries.
- No functional changes to scripts; adjustments are metadata-only and documentation-related.
v0.1.3
**Major update: Vault, backup, and ecash functionality split to new skills; this version focuses on core identity and credential management.**
- Removes all vault management, backup, and Cashu ecash scripts; now provided separately as `archon-vault` and `archon-cashu`.
- Simplifies and updates documentation to reflect only core DID/credential, messaging, and authorization features.
- Security notes and prerequisites updated for streamlined core use; backup details delegated to related skills.
- SKILL.md restructured and reduced in scope for clarity and maintainability.
v0.1.2
archon-keymaster 0.1.2 changelog
- Added `metadata` field in SKILL.md, specifying OpenClaw environment, dependencies (`node`, `npx`), primary environment variable (`ARCHON_PASSPHRASE`), and emoji.
- Consolidated and clarified security notes and sensitive data handling within SKILL.md under a new "Security Notes" section.
- Removed top-level permissions and sensitive_data sections, moving relevant details to documentation.
- No changes to functional code; documentation and metadata update only.
v0.1.1
archon-keymaster v0.1.1
- Added a permissions and security section to SKILL.md, detailing filesystem, network, environment usage, sensitive data handling, and security notes.
- Documented what files and environment variables are read/written, and outlined backup/archive behavior and key storage.
- Clarified security practices for passphrase storage, encrypted backups, and network encryption.
- No changes to core functionality; documentation and metadata only.
v0.1.0
archon-keymaster 0.1.0
- Initial release of a comprehensive Archon decentralized identity (DID) toolkit.
- Features include identity management, verifiable credential issuing/acceptance, encrypted messaging (dmail), Nostr key derivation, file encryption/signing, DID aliasing, vault management (including encrypted distributed backup), authorization via challenge/response, group management for access control, and cryptographic polling.
- Provides an extensive Bash script interface for all major operations, including disaster recovery and complete credential lifecycle management.
- Requires Node.js and environment configuration via `~/.archon.env` for seamless usage.
元数据
常见问题
Archon Keymaster 是什么?
Core Archon DID toolkit - identity management, verifiable credentials, encrypted messaging (dmail), Nostr integration, file encryption/signing, aliasing, aut... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 536 次。
如何安装 Archon Keymaster?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install archon-keymaster」即可一键安装,无需额外配置。
Archon Keymaster 是免费的吗?
是的,Archon Keymaster 完全免费(开源免费),可自由下载、安装和使用。
Archon Keymaster 支持哪些平台?
Archon Keymaster 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Archon Keymaster?
由 macterra(@macterra)开发并维护,当前版本 v0.1.4。
推荐 Skills