ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

On-Chain Skill Audit

v0.1.1

On-chain skill provenance registry. Check, register, audit, and vouch for agent skills on Solana. Use when evaluating skill safety, registering new skills, or looking up provenance before installation.

0· 1.4k· 2 versions· 2 current· 2 all-time· Updated 6h ago· MIT-0
byRocket@emanz1

Skill Audit — On-Chain Provenance Registry

Commands

/check-skill <name>

Look up on-chain provenance for a skill before installing.

  1. Read all three tables (registry, audits, vouches) for the given skill ID
  2. Compute trust level from audit verdicts
  3. Display: trust badge, author, hash, version, audit history, vouch count

/audit-skill <name> <severity>

Submit an audit verdict (requires IQ tokens in wallet). Severities: S (secure), L (low), M (medium), H (high), C (critical) Optionally run ZeroLeaks first and inscribe full report via codeIn.

/vouch-skill <name> [score]

Community endorsement. Score 1-5 (default 5).

/register-skill <path>

Register a local skill with on-chain hash.

  1. Read skill.md at given path
  2. Normalize and SHA-256 hash the content
  3. Write registration row with short hash (first 8 hex chars)

Trust Badges

  • MALICIOUS: BLOCK installation, warn user
  • FLAGGED: Strong warning
  • CAUTIONED: Mild warning
  • VERIFIED: Green checkmark
  • AUDITED: Has audits but not yet verified secure
  • REGISTERED: In registry, no audits yet
  • UNKNOWN: Not in registry — warn "no on-chain provenance"
  • Hash mismatch: Warn "content differs from registered version"

Implementation

Package: @rocketlabs/skill-audit

const { checkSkill, registerSkill, auditSkill, vouchForSkill, hashSkill } = require('@rocketlabs/skill-audit');

checkSkill({ connection, skillId, rpcUrl })

Returns: { trustLevel, skill, audits, vouches, summary } Free (RPC read only, no SOL needed).

registerSkill({ connection, signer, skillId, author, shortHash, version, codeInTx, rpcUrl })

Writes to skill_registry table. Public — anyone can register.

auditSkill({ connection, signer, skillId, auditor, severity, categories, codeInTx, rpcUrl })

Writes to skill_audits table. IQ-token-gated — signer must hold IQ tokens. Severity: S/L/M/H/C. Categories: dir,enc,per,soc,tec,cre,mny,cot,pol,asc,ctx,sem,too,sir,ech

vouchForSkill({ connection, signer, skillId, voucher, score, rpcUrl })

Writes to skill_vouches table. Public — anyone can vouch. Score 1-5.

hashSkill(content)

Returns: { fullHash, shortHash } — SHA-256 of normalized content.

On-Chain Architecture

  • Program: 9KLLchQVJpGkw4jPuUmnvqESdR7mtNCYr3qS4iQLabs
  • DB Root ID: skill-audit
  • Tables: skill_registry (public), skill_audits (IQ-gated), skill_vouches (public)
  • Row limit: ~100 bytes. Full data via codeIn inscriptions.
  • Reads are free. Only writes cost SOL.
  • Append-only. No in-place updates. Version counter for re-registration.

Prerequisites

  • @iqlabs-official/solana-sdk v0.1.1+ (CommonJS required)
  • @solana/web3.js v1.x
  • Solana wallet for writes
  • IQ tokens for audit writes (token mint: 3uXACfojUrya7VH51jVC1DCHq3uzK4A7g469Q954LABS)
  • Buffer monkey-patch applied (handled automatically by the package)

Version tags

latestvk97855gk1g07a260xr6ype4a1h80tv87