← 返回 Skills 市场
2008
总下载
3
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install skillsign
功能描述
Sign and verify agent skill folders with ed25519 keys. Detect tampering, manage trusted authors, and track provenance chains (isnād).
安全使用建议
This skill appears to be what it says: a local ed25519 signer/verifier for skill folders. Before installing or using it, consider the following:
- Inspect the full skillsign.py file yourself (the provided excerpt was truncated here) to confirm there are no network calls or unexpected behavior in the omitted portion.
- Protect private keys: the tool writes unencrypted PEM private keys to ~/.skillsign/keys with 0600 perms. If you need stronger protection, use hardware-backed keys or store privately encrypted keys.
- Revocation and timestamping are local and limited: revocation is local and there is no trusted timestamping authority or immutable chain linking. A compromised private key can sign malicious updates that look legitimate in the local chain.
- Use in a controlled environment: when first verifying third-party skills, run verification in an isolated environment and validate the public key out-of-band (e.g., via the author's published fingerprint) before adding to your trust list.
- Source provenance: the package metadata references a GitHub URL but the registry source is unknown; prefer installing or running code from sources you can vet (e.g., a trusted repository or your own copy).
If you want higher assurance, request the full, untruncated source and check that trust/revocation functions operate only on local files and do not contact external endpoints.
功能分析
Type: OpenClaw Skill
Name: skillsign
Version: 1.1.0
The OpenClaw AgentSkills bundle 'skillsign' is a cryptographic signing and verification tool for skill folders. Its purpose is to enhance security by detecting tampering and verifying author trust using ed25519 keys and SHA-256 hashes. The code correctly implements cryptographic operations, manages keys with appropriate permissions in the user's home directory (`~/.skillsign/`), and performs all actions locally without network communication or access to sensitive environment variables. The `SKILL.md` and `README.md` documentation provides clear, benign instructions for using the tool and does not contain any prompt injection attempts or instructions for malicious behavior against the AI agent.
能力评估
Purpose & Capability
Name/description, SKILL.md, README, and the included Python code all implement signing, verification, trust list management, and provenance chaining for skill folders. There are no requests for unrelated credentials or external services; behavior aligns with stated purpose.
Instruction Scope
Runtime instructions tell the agent to generate keys under ~/.skillsign, create .skillsig/ inside target skill folders, hash files, sign manifests, and manage a local trust store. These actions are exactly what a signing tool needs. Note: the tool reads all files in the provided folder (expected) and writes signature metadata into the folder and the user's home directory.
Install Mechanism
No install spec is present beyond a pip dependency on the well-known 'cryptography' library. There are no remote downloads or unusual installer behavior in the provided files.
Credentials
The skill requests no environment variables, credentials, or system config paths beyond creating/using ~/.skillsign and writing .skillsig directories inside signed folders. Those filesystem accesses are proportional to a signing tool.
Persistence & Privilege
The tool persists keys and a trusted-author list under ~/.skillsign and writes .skillsig/ into target folders. This is expected for its function, but it does create persistent private key files (PEM, unencrypted) in the user's home directory which should be protected. The skill is not always-enabled and does not request elevated or cross-skill config access.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skillsign - 安装完成后,直接呼叫该 Skill 的名称或使用
/skillsign触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Added key revocation system. New commands: revoke, revoked.
Timestamp-aware verification.
v1.0.0
Initial release - cryptographic signing and verification for agent skill folders using ed25519 keys. Includes support for signing identity generation, folder signing, verification with tampering detection, trust management, and full provenance chain tracking (isnād).
元数据
常见问题
Skillsign — ed25519 Skill Signing 是什么?
Sign and verify agent skill folders with ed25519 keys. Detect tampering, manage trusted authors, and track provenance chains (isnād). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2008 次。
如何安装 Skillsign — ed25519 Skill Signing?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skillsign」即可一键安装,无需额外配置。
Skillsign — ed25519 Skill Signing 是免费的吗?
是的,Skillsign — ed25519 Skill Signing 完全免费(开源免费),可自由下载、安装和使用。
Skillsign — ed25519 Skill Signing 支持哪些平台?
Skillsign — ed25519 Skill Signing 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skillsign — ed25519 Skill Signing?
由 FELMONON(@felmonon)开发并维护,当前版本 v1.1.0。
推荐 Skills