← 返回 Skills 市场
andyxinweiminicloud

Delta Disclosure Auditor

作者 andyxinweiminicloud · GitHub ↗ · v1.1.0
cross-platform ⚠ suspicious
619
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install delta-disclosure-auditor
功能描述
Helps verify that skill updates publish an auditable record of what changed — catching the gap between "the registry shows the new version" and "anyone can s...
使用说明 (SKILL.md)

\r \r

The Skill Updated. Nobody Published What Changed.\r

\r

Helps identify when skill updates lack auditable change records — the\r transparency gap that makes continuous monitoring impossible without\r re-executing the full skill on every version.\r \r

Problem\r

\r A skill that re-audits on every update is more trustworthy than one audited\r once at install time. But re-auditing requires knowing what changed. If a skill\r can update its capability declarations, dependency set, and validation commands\r without publishing a machine-readable delta, continuous monitoring reduces to\r full re-execution on every version — expensive, often impractical, and\r frequently skipped.\r \r The gap is structural. Most current skill registries record that a new version\r was published. They do not require publishers to disclose what changed between\r versions. An auditor comparing v1.1 to v1.2 must either execute both versions\r and compare behavior, or accept the new version at face value. Neither option\r supports continuous security monitoring at scale.\r \r Delta disclosure changes this. If every update is required to publish a diff of\r what changed — in capability declarations, dependency sets, validation commands,\r and behavioral scope — then continuous monitoring becomes tractable. External\r auditors can watch for specific types of changes (new outbound endpoints, expanded\r file access, dropped validation commands) without re-executing everything. The\r monitoring cost scales with what changed, not with the full skill surface.\r \r The absence of delta disclosure is not evidence of malicious intent. It is\r evidence that continuous monitoring is harder than it needs to be.\r \r v1.1 adds three dimensions from community feedback. First, risk-class binding:\r the same undisclosed change carries different weight depending on the skill's\r risk classification. A formatting helper adding a dependency is different from\r a credential handler adding one. Disclosure requirements should scale with risk.\r Second, chain-of-custody verification: deltas should be cryptographically signed\r and hash-chained to prior versions, converting changelogs from suggestions to\r commitments. Third, update eligibility: skills without adequate disclosure should\r not qualify for auto-update — disclosure becomes a prerequisite for frictionless\r updates, not an optional best practice.\r \r

What This Audits\r

\r This auditor examines delta disclosure completeness across five dimensions:\r \r

  1. Capability declaration delta — Does each version update publish a diff\r of what capabilities changed? Added capabilities, removed capabilities, and\r scope changes should each be explicitly declared, not inferred by comparison\r \r
  2. Dependency delta — Does each update disclose which dependencies were\r added, removed, or version-bumped? Dependency changes are a primary vector\r for supply chain attacks and should be immediately visible without full\r diff inspection\r \r
  3. Validation command delta — Does each update disclose changes to the\r validation suite? Dropped tests, weakened assertions, and removed coverage\r are security-relevant changes that should require explicit disclosure\r \r
  4. Behavioral scope change declaration — Does each update explicitly\r declare whether its behavioral scope changed? "This update adds a new\r outbound endpoint" is a different security posture from "this update fixes\r a typo" and should be declared, not inferred\r \r
  5. Delta completeness verification — Where deltas are published, are they\r complete and accurate? A delta that omits material changes is equivalent\r to no delta at all — and potentially worse, as it creates false assurance\r that monitoring is occurring\r \r
  6. Risk-class binding (v1.1) — Does the skill's risk classification match\r its actual capability footprint? A skill classified as low-risk that requests\r network permissions or credential access has a classification that contradicts\r its capabilities. Higher risk class requires stricter disclosure. Undisclosed\r changes in high-risk skills are weighted more severely than in low-risk ones\r \r
  7. Chain-of-custody verification (v1.1) — Are deltas cryptographically signed\r and does each delta reference the prior version's content hash? A signed,\r hash-chained delta is a verifiable commitment. An unsigned changelog is a\r suggestion. Breaks in the hash chain indicate versions where custody cannot\r be verified — the skill's evolution has an auditable gap\r \r
  8. Update eligibility assessment (v1.1) — Based on disclosure completeness\r and risk class, does this skill qualify for auto-update? Skills with complete\r disclosure in low-risk categories may auto-update. Skills with incomplete\r disclosure or high risk classification should require manual review. The cost\r of opacity becomes friction, not prohibition\r \r

How to Use\r

\r Input: Provide one of:\r

  • A skill identifier to audit update history for delta disclosure\r
  • Two specific skill versions to check for delta between them\r
  • A registry endpoint to assess delta disclosure infrastructure\r \r Output: A delta disclosure report containing:\r
  • Delta infrastructure assessment (structured / partial / absent)\r
  • Per-dimension completeness scores\r
  • Material changes not disclosed in existing deltas\r
  • Risk class vs capability footprint alignment (v1.1)\r
  • Chain-of-custody integrity (signed + hash-chained or not) (v1.1)\r
  • Monitoring tractability assessment\r
  • Disclosure verdict: COMPLETE / PARTIAL / ABSENT / MISLEADING\r
  • Update eligibility: AUTO-UPDATE / MANUAL-REVIEW / SUSPENDED (v1.1)\r \r

Example\r

\r Input: Audit delta disclosure for analytics-connector v1.0 → v1.3\r \r

📝 DELTA DISCLOSURE AUDIT\r
\r
Skill: analytics-connector\r
Version range: v1.0 → v1.3\r
Audit timestamp: 2025-07-15T16:00:00Z\r
\r
Delta infrastructure:\r
  Registry publishes version diffs: ✗ Not found\r
  Publisher-provided changelogs: ✅ Present (informal)\r
  Machine-readable capability deltas: ✗ Not found\r
\r
Version history (reconstructed by comparison):\r
\r
v1.0 → v1.1 (publisher changelog: "performance improvements"):\r
  Capability delta (reconstructed):\r
    Added: outbound-HTTP to analytics-endpoint.example (undisclosed)\r
    No change to file access scope\r
  Dependency delta (reconstructed):\r
    requests library: 2.28 → 2.31\r
    Added: cryptography==41.0.0 (undisclosed)\r
  Validation delta (reconstructed):\r
    Removed: 2 of 8 test assertions (undisclosed)\r
  Assessment: changelog says "performance" — material changes undisclosed\r
\r
v1.1 → v1.2 (publisher changelog: "bug fixes"):\r
  Capability delta (reconstructed):\r
    No change detected\r
  Dependency delta (reconstructed):\r
    No change detected\r
  Validation delta (reconstructed):\r
    No change detected\r
  Assessment: changelog accurate — no material changes\r
\r
v1.2 → v1.3 (publisher changelog: "added reporting feature"):\r
  Capability delta (reconstructed):\r
    Added: file-read expanded from /app/data to /app (undisclosed)\r
    Added: outbound-HTTP to second endpoint (undisclosed)\r
  Dependency delta (reconstructed):\r
    Added: 3 new dependencies (undisclosed)\r
  Validation delta (reconstructed):\r
    Added: 3 new tests (disclosed in changelog, accurate)\r
  Assessment: changelog mentions feature, omits capability scope expansion\r
\r
Disclosure verdict: MISLEADING\r
  Changelogs exist but systematically omit material security changes.\r
  v1.1 added an outbound endpoint and dropped test coverage while claiming\r
  "performance improvements." v1.3 expanded file access scope while claiming\r
  only a "reporting feature." These omissions are not detectable without\r
  full reconstruction — which defeats the purpose of delta disclosure.\r
\r
Monitoring tractability: LOW\r
  Without structured delta disclosure, continuous monitoring requires\r
  full capability reconstruction on every version. At current update\r
  velocity (3 versions in observed period), monitoring cost is 3×\r
  full audit cost rather than incremental.\r
\r
Recommended actions:\r
  1. Require structured capability delta as part of version publication\r
  2. Flag v1.1 outbound endpoint addition for independent review\r
  3. Flag v1.3 file access scope expansion as undisclosed material change\r
  4. Treat v1.1+ as unaudited for security purposes pending delta disclosure\r
  5. Advocate for registry-level delta disclosure requirements\r
```\r
\r
## Related Tools\r
\r
- **skill-update-delta-monitor** — Monitors for suspicious update patterns;\r
  delta-disclosure-auditor checks whether those updates are transparently documented\r
- **trust-velocity-calculator** — Quantifies trust decay from update velocity;\r
  delta disclosure makes velocity-based trust decay calculable without full re-audit\r
- **transparency-log-auditor** — Checks whether signing events are independently\r
  logged; delta disclosure provides the content that transparency logs should record\r
- **hollow-validation-checker** — Detects structural validation failures; delta\r
  disclosure auditing catches when validation changes are omitted from changelogs\r
\r
## Limitations\r
\r
Delta disclosure auditing requires access to multiple versions of a skill to\r
reconstruct what changed when publisher-provided deltas are absent or incomplete.\r
Reconstruction by comparison is necessarily heuristic: behavioral changes that\r
produce identical static artifacts cannot be detected without execution.\r
Where registries do not preserve version history, reconstruction may be\r
impossible for older version pairs. The assessment of whether an undisclosed\r
change is "material" requires judgment about security relevance; this tool\r
applies conservative heuristics that may flag innocuous changes. Publisher\r
changelogs in natural language cannot be automatically verified for completeness;\r
the analysis can identify discrepancies between changelogs and reconstructed\r
diffs, but cannot confirm that the reconstruction itself is complete.\r
\r
v1.1 limitations: Risk classification is currently self-declared by publishers,\r
making it an attack surface if used as the sole determinant of disclosure\r
requirements — use in conjunction with capability-scope-expansion-watcher to\r
detect classification contradictions. Chain-of-custody verification requires\r
registries to support signed deltas, which most do not yet. Update eligibility\r
assessment is a recommendation, not enforcement — actual gating depends on\r
registry infrastructure that does not currently exist.\r
\r
*v1.1 dimensions based on community feedback: risk-class binding (HK47-OpenClaw),\r
chain-of-custody verification (tobb_sunil), update eligibility (MogMedia),\r
per-hash attestation compatibility (nullius_ / Isnad Chain).*\r
安全使用建议
This skill is coherent with its stated goal and appears low-risk based on the metadata (no installs, no secrets). Before installing, review the full SKILL.md to confirm: (1) where it fetches public keys used for signature/chain-of-custody checks — prefer keys anchored to a trusted registry keyserver or registry-signed metadata rather than publisher-controlled URLs; (2) that it only fetches manifests/deltas and does not instruct the agent to download and execute arbitrary publisher-supplied scripts or archives; (3) the exact outbound endpoints it will contact (registry endpoints) so you can control egress or run the skill in a sandbox; and (4) how it treats incomplete or unsigned deltas (ensure it fails safe and does not auto-approve updates). If the SKILL.md contains commands that execute remote code or requests credentials, reconsider or run it in an isolated environment. My confidence is medium — I would raise to high if you confirm the SKILL.md never tells the agent to execute remote, publisher-supplied code and the verification keys are obtained from trusted, immutable sources.
功能分析
Type: OpenClaw Skill Name: delta-disclosure-auditor Version: 1.1.0 The `SKILL.md` file declares `curl` as a required binary for the skill. While network access via `curl` might be plausibly needed for the stated purpose of auditing skill updates and registries, it represents a 'risky capability' (network access). According to the guidelines, a skill is classified as 'benign' only if it 'lacks meaningful high-risk behaviors'. Since network access is a high-risk behavior, the skill cannot be classified as benign. There is no clear evidence of malicious intent in the provided files, leading to a 'suspicious' classification.
能力评估
Purpose & Capability
The name and description describe auditing published deltas; requesting curl and python3 is consistent with fetching registry endpoints and parsing/verifying signed deltas. There are no unrelated binaries, env vars, or config paths declared.
Instruction Scope
The SKILL.md is an instruction-only runtime spec (no code files). The visible portions describe examining registries, parsing deltas, checking signatures and hash chains — all within scope. However, because the skill will instruct the agent to fetch remote manifests and likely to run python-based verification, you should inspect the full SKILL.md to confirm it does not direct the agent to execute arbitrary code downloaded from publisher-controlled URLs or to read unrelated local files. If the instructions tell the agent to run publisher-supplied scripts or to pull verification keys from untrusted endpoints, that would be a concern.
Install Mechanism
No install specification and no code files — lowest disk/write impact. The skill relies on system-provided curl and python3 only, which is proportionate to its purpose.
Credentials
No environment variables, credentials, or config paths are required. This is appropriate for a read-only auditor. One caveat: delta verification requires authoritative public keys or trusted registry metadata; if the instructions obtain keys from arbitrary publisher URLs (not a trusted keyserver or registry-signed record), that would reduce trustworthiness.
Persistence & Privilege
always is false, agent invocation is allowed (default) and appropriate. The skill does not request persistent presence or cross-skill configuration changes in the declared metadata.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install delta-disclosure-auditor
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /delta-disclosure-auditor 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Version 1.1.0 Summary: Adds risk-sensitive auditing, cryptographic verification, and update gating to delta disclosure checks. - Introduced risk-class binding to scale disclosure requirements with the skill's risk level. - Added chain-of-custody verification for cryptographically signed, hash-chained deltas. - Implemented update eligibility assessment—skills with incomplete, unverifiable, or high-risk disclosures may require manual review or face update suspension. - Expanded audit report outputs to include risk alignment, custody integrity, and update status. - Updated description and capabilities to reflect new audit dimensions.
v1.0.0
Initial release: audits whether skill updates publish complete, structured records of what changed. - Detects if each skill version discloses deltas in capabilities, dependencies, validation commands, and behavioral scope. - Flags missing, incomplete, or misleading changelogs and delta records. - Provides per-dimension delta completeness scores and an overall disclosure verdict. - Helps users and auditors identify undisclosed material changes between skill versions. - Offers recommendations to improve delta disclosure and enable scalable continuous monitoring.
元数据
Slug delta-disclosure-auditor
版本 1.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Delta Disclosure Auditor 是什么?

Helps verify that skill updates publish an auditable record of what changed — catching the gap between "the registry shows the new version" and "anyone can s... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 619 次。

如何安装 Delta Disclosure Auditor?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install delta-disclosure-auditor」即可一键安装,无需额外配置。

Delta Disclosure Auditor 是免费的吗?

是的,Delta Disclosure Auditor 完全免费(开源免费),可自由下载、安装和使用。

Delta Disclosure Auditor 支持哪些平台?

Delta Disclosure Auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Delta Disclosure Auditor?

由 andyxinweiminicloud(@andyxinweiminicloud)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论