← 返回 Skills 市场
537
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install erc8128
功能描述
Sign and verify HTTP requests with Ethereum wallets using ERC-8128. Use when building authenticated APIs that need wallet-based auth, making signed requests...
使用说明 (SKILL.md)
ERC-8128: Ethereum HTTP Signatures
ERC-8128 extends RFC 9421 (HTTP Message Signatures) with Ethereum wallet signing. It enables HTTP authentication using existing Ethereum keys—no new credentials needed.
📚 Full documentation: erc8128.slice.so
When to Use
- API authentication — Wallets already onchain can authenticate to your backend
- Agent auth — Bots and agents sign requests with their operational keys
- Replay protection — Signatures include nonces and expiration
- Request integrity — Sign URL, method, headers, and body
Packages
| Package | Purpose |
|---|---|
@slicekit/erc8128 |
JS library for signing and verifying |
@slicekit/erc8128-cli |
CLI for signed requests (erc8128 curl) |
Library: @slicekit/erc8128
Sign requests
import { createSignerClient } from '@slicekit/erc8128'
import type { EthHttpSigner } from '@slicekit/erc8128'
import { privateKeyToAccount } from 'viem/accounts'
const account = privateKeyToAccount('0x...')
const signer: EthHttpSigner = {
chainId: 1,
address: account.address,
signMessage: async (msg) => account.signMessage({ message: { raw: msg } }),
}
const client = createSignerClient(signer)
// Sign and send
const response = await client.fetch('https://api.example.com/orders', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ amount: '100' }),
})
// Sign only (returns new Request with signature headers)
const signedRequest = await client.signRequest('https://api.example.com/orders')
Verify requests
import { createVerifierClient } from '@slicekit/erc8128'
import type { NonceStore } from '@slicekit/erc8128'
import { createPublicClient, http } from 'viem'
import { mainnet } from 'viem/chains'
// NonceStore interface for replay protection
const nonceStore: NonceStore = {
consume: async (key: string, ttlSeconds: number): Promise\x3Cboolean> => {
// Return true if nonce was successfully consumed (first use)
// Return false if nonce was already used (replay attempt)
}
}
const publicClient = createPublicClient({ chain: mainnet, transport: http() })
const verifier = createVerifierClient(publicClient.verifyMessage, nonceStore)
const result = await verifier.verifyRequest(request)
if (result.ok) {
console.log(`Authenticated: ${result.address} on chain ${result.chainId}`)
} else {
console.log(`Failed: ${result.reason}`)
}
Sign options
| Option | Type | Default | Description |
|---|---|---|---|
binding |
"request-bound" | "class-bound" |
"request-bound" |
What to sign |
replay |
"non-replayable" | "replayable" |
"non-replayable" |
Include nonce |
ttlSeconds |
number |
60 |
Signature validity |
components |
string[] |
— | Additional components to sign |
contentDigest |
"auto" | "recompute" | "require" | "off" |
"auto" |
Content-Digest handling |
request-bound: Signs @authority, @method, @path, @query (if present), and content-digest (if body present). Each request is unique.
class-bound: Signs only the components you explicitly specify. Reusable across similar requests. Requires components array.
📖 See Request Binding for details.
Verify policy
| Option | Type | Default | Description |
|---|---|---|---|
maxValiditySec |
number |
300 |
Max allowed TTL |
clockSkewSec |
number |
0 |
Allowed clock drift |
replayable |
boolean |
false |
Allow nonce-less signatures |
classBoundPolicies |
string[] | string[][] |
— | Accepted class-bound component sets |
📖 See Verifying Requests and VerifyPolicy for full options.
CLI: erc8128 curl
For CLI usage, see references/cli.md.
Quick examples:
# GET with keystore
erc8128 curl --keystore ./key.json https://api.example.com/data
# POST with JSON
erc8128 curl -X POST \
-H "Content-Type: application/json" \
-d '{"foo":"bar"}' \
--keyfile ~/.keys/bot.key \
https://api.example.com/submit
# Dry run (sign only)
erc8128 curl --dry-run -d @body.json --keyfile ~/.keys/bot.key https://api.example.com
📖 See CLI Guide for full documentation.
Common Patterns
Express middleware
import { verifyRequest } from '@slicekit/erc8128'
import type { NonceStore } from '@slicekit/erc8128'
import { createPublicClient, http } from 'viem'
import { mainnet } from 'viem/chains'
const publicClient = createPublicClient({ chain: mainnet, transport: http() })
// Implement NonceStore (Redis example)
const nonceStore: NonceStore = {
consume: async (key, ttlSeconds) => {
const result = await redis.set(key, '1', 'EX', ttlSeconds, 'NX')
return result === 'OK'
}
}
async function erc8128Auth(req, res, next) {
const result = await verifyRequest(
toFetchRequest(req), // Convert Express req to Fetch Request
publicClient.verifyMessage,
nonceStore
)
if (!result.ok) {
return res.status(401).json({ error: result.reason })
}
req.auth = { address: result.address, chainId: result.chainId }
next()
}
Agent signing (with key file)
import { createSignerClient } from '@slicekit/erc8128'
import type { EthHttpSigner } from '@slicekit/erc8128'
import { privateKeyToAccount } from 'viem/accounts'
import { readFileSync } from 'fs'
const key = readFileSync(process.env.KEYFILE, 'utf8').trim()
const account = privateKeyToAccount(key as `0x${string}`)
const signer: EthHttpSigner = {
chainId: Number(process.env.CHAIN_ID) || 1,
address: account.address,
signMessage: async (msg) => account.signMessage({ message: { raw: msg } }),
}
const client = createSignerClient(signer)
// Use client.fetch() for all authenticated requests
Verify failure reasons
type VerifyFailReason =
| 'missing_headers'
| 'label_not_found'
| 'bad_signature_input'
| 'bad_signature'
| 'bad_keyid'
| 'bad_time'
| 'not_yet_valid'
| 'expired'
| 'validity_too_long'
| 'nonce_required'
| 'replayable_not_allowed'
| 'replayable_invalidation_required'
| 'replayable_not_before'
| 'replayable_invalidated'
| 'class_bound_not_allowed'
| 'not_request_bound'
| 'nonce_window_too_long'
| 'replay'
| 'digest_mismatch'
| 'digest_required'
| 'alg_not_allowed'
| 'bad_signature_bytes'
| 'bad_signature_check'
📖 See VerifyFailReason for descriptions.
Key Management
For agents and automated systems:
| Method | Security | Use Case |
|---|---|---|
--keyfile |
Medium | Unencrypted key file, file permissions for protection |
--keystore |
High | Encrypted JSON keystore, password required |
ETH_PRIVATE_KEY |
Low | Environment variable, avoid in production |
| Signing service | High | Delegate to external service (SIWA, AWAL) |
Documentation
- Full docs: erc8128.slice.so
- Quick Start: erc8128.slice.so/getting-started/quick-start
- Concepts: erc8128.slice.so/concepts/overview
- API Reference: erc8128.slice.so/api/signRequest
- ERC-8128 Spec: GitHub
安全使用建议
This skill's content is coherent for building wallet-signed HTTP requests and verification. Before you use it: (1) note that the skill bundle contains only documentation — the actual CLI/library would be installed separately (npm/@slicekit packages); verify the package publisher and inspect the package code before installing. (2) Avoid passing raw private keys on command lines or in scripts; prefer encrypted keystores, hardware wallets, or process-limited environment injection. (3) If you plan to run the CLI, prefer installing from an official, verifiable source and check package integrity (verify author, version, and package contents). (4) If you need higher assurance, ask the publisher/source for a repository or checksum and request a homepage or canonical source URL — absence of a homepage in the skill metadata reduces confidence in auditing the referenced packages.
功能分析
Type: OpenClaw Skill
Name: erc8128
Version: 1.0.0
The OpenClaw AgentSkills skill bundle for ERC-8128 provides tools for signing and verifying HTTP requests using Ethereum wallets. The documentation clearly outlines the purpose, usage, and various methods for handling private keys, including explicit security best practices and warnings about less secure options (e.g., `ETH_PRIVATE_KEY` environment variable or `--private-key` CLI option). All file and network access (e.g., reading key files, sending signed HTTP requests) is directly related to the skill's stated purpose. There is no evidence of intentional data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. The skill functions as a legitimate cryptographic utility with transparent operations.
能力评估
Purpose & Capability
The name/description (ERC-8128 HTTP signatures) match the contents: examples for signing and verifying, a verifier nonce-store, Express middleware, and a CLI are all appropriate for building wallet-based HTTP auth.
Instruction Scope
SKILL.md and references/cli.md limit actions to signing/verifying requests and reading key material (keystore, keyfile, or ETH_PRIVATE_KEY). There are no instructions to read unrelated system files or exfiltrate data. Use of NonceStore and Redis is scoped to replay protection and is relevant.
Install Mechanism
This is an instruction-only skill with no install spec. The docs point users to install npm packages (e.g., @slicekit/erc8128-cli) via npm/npx — expected for a JS CLI but means installing external code from registries if you follow the docs. Because no package source/homepage is provided in the skill metadata, you cannot verify the referenced packages from this skill bundle alone.
Credentials
The skill declares no required environment variables, but the docs mention using ETH_PRIVATE_KEY and support keyfile/keystore/password/--private-key options. Those env/file accesses are normal for a signing tool, but the metadata/instructions mismatch (no declared required env in metadata) is worth noting. The number and type of secrets referenced are proportionate to the task, but handling private keys on the CLI or as raw env vars is intrinsically risky and the docs themselves warn about it.
Persistence & Privilege
Skill is not always-enabled, does not request persistent system-wide privileges, and is instruction-only (no code written by the skill). It does not ask to modify other skills or system configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install erc8128 - 安装完成后,直接呼叫该 Skill 的名称或使用
/erc8128触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of erc8128.
- Enables signing and verifying HTTP requests using Ethereum wallets (ERC-8128 standard).
- Supports both a JavaScript library (@slicekit/erc8128) and command-line interface (erc8128 curl).
- Provides replay protection, nonce support, request binding options, and request integrity features.
- Includes extensible verification policies and integration patterns for APIs and agent-based authentication.
- Comprehensive documentation links and common implementation patterns for servers and bots.
元数据
常见问题
ERC-8128 是什么?
Sign and verify HTTP requests with Ethereum wallets using ERC-8128. Use when building authenticated APIs that need wallet-based auth, making signed requests... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 537 次。
如何安装 ERC-8128?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install erc8128」即可一键安装,无需额外配置。
ERC-8128 是免费的吗?
是的,ERC-8128 完全免费(开源免费),可自由下载、安装和使用。
ERC-8128 支持哪些平台?
ERC-8128 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ERC-8128?
由 jacopo(@jacopo-eth)开发并维护,当前版本 v1.0.0。
推荐 Skills