← 返回 Skills 市场
leo-guinan

Towel Protocol

作者 Leo Guinan · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
276
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install towel-protocol
功能描述
Verify AI agent trust scores and reputation via Towel Protocol. Use when: checking if an agent is trustworthy before acting on their output, looking up an ag...
安全使用建议
This skill is plausible for building agent-to-agent trust channels, but exercise caution before running its scripts. Ask the author to (1) declare required tooling (git, gh, openssl, python3, shasum), (2) document exactly which credentials and GitHub permissions are needed and why, and (3) remove embedding of tokens in remote URLs (use gh auth or secure credential helpers instead). Do not run the scripts with a high-privilege GitHub token or in an environment containing other secrets. If you want to test: run in an isolated account/org with minimal repo scopes, inspect the scripts line-by-line, and consider modifying them to avoid storing tokens in git config and to require explicit, ephemeral credentials rather than reading from local auth state.
功能分析
Type: OpenClaw Skill Name: towel-protocol Version: 1.0.0 The bundle implements an agent reputation protocol but includes high-risk scripts that programmatically interact with GitHub. Specifically, `scripts/towel-link.sh` uses the `gh` CLI to create private repositories and extracts the user's GitHub authentication token to embed it in the local git configuration. While these actions are aligned with the stated goal of establishing 'bilateral trust channels' (towel.metaspn.network), the automated handling of sensitive credentials and repository management represents a significant security risk and potential for credential exposure.
能力评估
Purpose & Capability
The skill claims only public read APIs and no credentials, but the included scripts create GitHub repos, push commits, and rely on the GitHub CLI and git; creating bilateral repos and importing credentials into an org is a reasonable capability for a reputation channel, but the skill did not declare any of the required binaries, permissions, or the need for a GitHub token/organization access.
Instruction Scope
SKILL.md describes calling the Towel API (read-only) and mentions building links, but it does not document executing the provided shell scripts. The scripts write seeds and handshake files to a repo, store challenges locally, and instruct humans to share repo access. They also embed the GitHub auth token into a remote URL (git remote set-url with x-access-token:...); that can cause credential leakage in .git/config or logs. The scripts assume/require git, gh, openssl, python3, and shasum but none are declared.
Install Mechanism
No install spec (instruction-only) — lowest-risk by install mechanism. However, the packaged shell scripts will be present on disk and are executable; since there is no declared list of required binaries, an agent or user might run these scripts without understanding prerequisites or consequences.
Credentials
Declared requirements list no environment variables or credentials, yet the scripts implicitly require and use a GitHub auth token (via `gh auth token`) and optionally use TOWEL_REPO_DIR env var. The script's behavior (creating repos in a specified GitHub org and embedding tokens in remote URLs) demands elevated GitHub permissions and risks exposing secrets — these accesses are not documented in the skill metadata.
Persistence & Privilege
The skill is not always:true and does not modify other skills. It does write files, create repositories, commit, and push — producing persistent artifacts outside the agent runtime (GitHub repos and local files). The persistence is expected for a bilateral trust channel but increases blast radius if credentials or seeds are mishandled.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install towel-protocol
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /towel-protocol 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial Clawhub release
元数据
Slug towel-protocol
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Towel Protocol 是什么?

Verify AI agent trust scores and reputation via Towel Protocol. Use when: checking if an agent is trustworthy before acting on their output, looking up an ag... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 276 次。

如何安装 Towel Protocol?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install towel-protocol」即可一键安装,无需额外配置。

Towel Protocol 是免费的吗?

是的,Towel Protocol 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Towel Protocol 支持哪些平台?

Towel Protocol 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Towel Protocol?

由 Leo Guinan(@leo-guinan)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论