Skillsign — ed25519 Skill Signing
v1.1.0Sign and verify agent skill folders with ed25519 keys. Detect tampering, manage trusted authors, and track provenance chains (isnād).
⭐ 3· 1.9k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, README, and the included Python code all implement signing, verification, trust list management, and provenance chaining for skill folders. There are no requests for unrelated credentials or external services; behavior aligns with stated purpose.
Instruction Scope
Runtime instructions tell the agent to generate keys under ~/.skillsign, create .skillsig/ inside target skill folders, hash files, sign manifests, and manage a local trust store. These actions are exactly what a signing tool needs. Note: the tool reads all files in the provided folder (expected) and writes signature metadata into the folder and the user's home directory.
Install Mechanism
No install spec is present beyond a pip dependency on the well-known 'cryptography' library. There are no remote downloads or unusual installer behavior in the provided files.
Credentials
The skill requests no environment variables, credentials, or system config paths beyond creating/using ~/.skillsign and writing .skillsig directories inside signed folders. Those filesystem accesses are proportional to a signing tool.
Persistence & Privilege
The tool persists keys and a trusted-author list under ~/.skillsign and writes .skillsig/ into target folders. This is expected for its function, but it does create persistent private key files (PEM, unencrypted) in the user's home directory which should be protected. The skill is not always-enabled and does not request elevated or cross-skill config access.
Assessment
This skill appears to be what it says: a local ed25519 signer/verifier for skill folders. Before installing or using it, consider the following:
- Inspect the full skillsign.py file yourself (the provided excerpt was truncated here) to confirm there are no network calls or unexpected behavior in the omitted portion.
- Protect private keys: the tool writes unencrypted PEM private keys to ~/.skillsign/keys with 0600 perms. If you need stronger protection, use hardware-backed keys or store privately encrypted keys.
- Revocation and timestamping are local and limited: revocation is local and there is no trusted timestamping authority or immutable chain linking. A compromised private key can sign malicious updates that look legitimate in the local chain.
- Use in a controlled environment: when first verifying third-party skills, run verification in an isolated environment and validate the public key out-of-band (e.g., via the author's published fingerprint) before adding to your trust list.
- Source provenance: the package metadata references a GitHub URL but the registry source is unknown; prefer installing or running code from sources you can vet (e.g., a trusted repository or your own copy).
If you want higher assurance, request the full, untruncated source and check that trust/revocation functions operate only on local files and do not contact external endpoints.Like a lobster shell, security has layers — review code before you run it.
cryptographyvk9723n8qpwbj6f2n907z8kydf5809asked25519vk9723n8qpwbj6f2n907z8kydf5809asklatestvk97aysbx7z0sbqh1nnj0rxcn5s809dk5securityvk9723n8qpwbj6f2n907z8kydf5809asksigningvk9723n8qpwbj6f2n907z8kydf5809askverificationvk9723n8qpwbj6f2n907z8kydf5809ask
License
MIT-0
Free to use, modify, and redistribute. No attribution required.