← 返回 Skills 市场

Artifact Signing

Name: Artifact Signing
Author: rajaryan18

作者 Raj Aryan · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

270

总下载

当前安装

版本数

在 OpenClaw 中安装

/install artifact-signing

功能描述

A skill to sign artifacts using a digital certificate and private key.

使用说明 (SKILL.md)

\r \r

Artifact Signing Skill\r

\r This skill allows an AI agent to sign files, binaries, or any artifact using a PEM-encoded private key. It generates a detached signature file.\r \r

Dependencies\r

Python 3.x\r
cryptography library (pip install cryptography)\r \r

Tools\r

`sign_artifact`\r

\r Signs a given artifact with a private key.\r \r Arguments:\r \r

artifact_path: (Required) Absolute path to the file to be signed.\r
key_path: (Required) Absolute path to the PEM-encoded private key.\r
output_path: (Optional) Absolute path where the signature should be saved. Defaults to \x3Cartifact_path>.sig.\r \r Example Usage:\r \r

python c:\Docs\skills\artifact-signing\scripts\sign_artifact.py "C:\path	o\artifact.zip" "C:\path	o\private_key.pem"\r
```\r
\r
## Security Considerations\r
\r
- **Private Key Protection**: Never share your private key. Ensure the key file has restricted permissions.\r
- **Verification**: Always verify the signature using the corresponding public key before trusting an artifact.\r

安全使用建议

This skill appears to be what it claims: a local artifact-signing utility. Before installing or using it: 1) Do not place production private keys where the agent or this skill can access them unless you explicitly intend it; prefer dedicated signing keys or an HSM/service for production signing. 2) The script expects an unencrypted PEM (password=None); if you require password-protected keys, modify the code to prompt for or accept a password, or use secure key storage. 3) Run and review the script in an isolated environment first (verify there is no unexpected network activity), and audit the code if you intend to use it for sensitive signing. 4) Ensure the 'cryptography' dependency is installed from a trusted source (pip from PyPI) and keep file permissions on private keys restrictive. If you want the skill to run autonomously, explicitly avoid granting it filesystem access to any sensitive key locations.

功能分析

Type: OpenClaw Skill Name: artifact-signing Version: 1.0.0 The artifact-signing skill is a legitimate utility for generating detached digital signatures using RSA and the Python cryptography library. Analysis of scripts/sign_artifact.py and verify_skill.py shows no evidence of data exfiltration, network activity, or malicious intent; the code strictly performs local file operations as described in SKILL.md.

能力评估

✓ Purpose & Capability

The name/description match the included scripts and examples: the sign_artifact.py signs a file with a PEM private key and the verify_skill.py runs a local test. There are no unrelated binaries, env vars, or config paths required.

✓ Instruction Scope

SKILL.md limits runtime actions to loading a local PEM private key, reading a specified artifact file, producing a detached signature, and advising verification. The provided scripts only operate on files you pass and do not contact external endpoints or read unrelated system files. (Note: sign_artifact.py expects an unencrypted private key — encrypted PEMs with passwords are not handled.)

✓ Install Mechanism

There is no automated install step and no downloads; the skill is instruction-only for a local Python script and asks the user to install the widely used 'cryptography' library via pip. No suspicious install URLs or archive extraction are present.

ℹ Credentials

The skill requests no environment variables or external credentials. It requires the user to supply a private key file path at runtime, which is appropriate for signing. However, supplying production signing keys to this skill (or letting the agent access a directory with such keys) is a sensitive choice — the script can sign any artifact presented to it, so key exposure risks must be considered.

✓ Persistence & Privilege

The skill does not request permanent/always-on presence, does not modify other skills or global agent settings, and contains no installation that persists code beyond the included files. Autonomous invocation is allowed by platform default but not accompanied by other red flags.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install artifact-signing
安装完成后，直接呼叫该 Skill 的名称或使用 /artifact-signing 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of artifact-signing skill. - Provides a tool to sign files or artifacts using a PEM-encoded private key. - Generates detached signature files for artifacts. - Requires Python 3.x and the cryptography library. - Strongly emphasizes private key protection and signature verification best practices.

元数据

Slug artifact-signing

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题