ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Signet

Cryptographic skill verification. Sign installed skills with SHA-256 content hashes and verify they haven't been tampered with. Detects modified, added, and removed files within skill directories. Free alert layer — upgrade to openclaw-signet-pro for rejection, quarantine, and trust chain restoration.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.2k · 3 current installs · 3 all-time installs
by@AtlasPA
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (sign and verify skills with SHA-256) matches the files and instructions. The script only needs python3 and operates on the workspace/skills tree, computes file hashes, and writes a local manifest and snapshots/quarantine directories. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md instructs running the included Python script with a --workspace argument. The script's visible behaviour is limited to walking skill directories, hashing files, saving a manifest, and taking local actions (quarantine/snapshots/restore). It only reads optional OPENCLAW_WORKSPACE env var to locate the workspace; it does not reference other system paths or transmit data externally in the shown code.
Install Mechanism
There is no installer; this is instruction-plus-script. README suggests cloning the repo into the workspace. No network calls or remote downloads are performed by the script (stdlib-only). No extract/download install steps are present in the registry metadata.
Credentials
The skill declares no required environment variables or credentials. The script optionally reads OPENCLAW_WORKSPACE to resolve workspace location, which is reasonable for its function. It does not ask for API keys, tokens, or unrelated secrets.
Persistence & Privilege
The skill is not forced-always (always:false) and is user-invocable. The script writes a manifest and may move/rename skill directories to quarantine or create snapshots under the workspace, which are necessary for its functionality but are destructive actions if used accidentally. The skill can be invoked by the agent (disable-model-invocation:false), which is normal for skills — be aware that agent-initiated runs could modify skill files without further prompts.
Assessment
This tool appears to do what it says: locally sign and verify skills and optionally quarantine or restore them. Before installing or running: (1) review the included scripts/signet.py yourself (it's a single-file Python tool) because it will write manifests and move/rename skill directories when you use quarantine/reject/restore; (2) back up your workspace (or ensure version control) before using quarantine/reject or restore operations; (3) run sign once after installing trusted skills to create the initial manifest; (4) consider file-permission protection for the .signet/manifest and snapshots if you want to prevent unauthorized local modification; (5) be aware that if you allow autonomous agent invocation, the agent could run this script and perform quarantines or restores — that behavior is expected but may be impactful, so restrict agent privileges if you want to avoid automated modifications.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk977s7r7kxgq56bnxkgaxw58298103pv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔏 Clawdis
OSmacOS · Linux · Windows
Binspython3

SKILL.md

OpenClaw Signet

Cryptographic verification for installed skills. Sign skills at install time, verify they haven't been tampered with later.

The Problem

You install a skill and it works. Days later, a compromised process modifies files inside the skill directory — injecting code, altering behavior, adding exfiltration. All current defenses are heuristic (regex pattern matching). Nothing mathematically verifies that installed code is unchanged.

Commands

Sign Skills

Generate SHA-256 content hashes for all installed skills and store in trust manifest.

python3 {baseDir}/scripts/signet.py sign --workspace /path/to/workspace

Sign Single Skill

python3 {baseDir}/scripts/signet.py sign openclaw-warden --workspace /path/to/workspace

Verify Skills

Compare current skill state against trusted signatures.

python3 {baseDir}/scripts/signet.py verify --workspace /path/to/workspace

List Signed Skills

python3 {baseDir}/scripts/signet.py list --workspace /path/to/workspace

Quick Status

python3 {baseDir}/scripts/signet.py status --workspace /path/to/workspace

How It Works

  1. sign computes SHA-256 hashes of every file in each skill directory
  2. A composite hash represents the entire skill state
  3. verify recomputes hashes and compares against the manifest
  4. If any file is modified, added, or removed — the composite hash changes
  5. Reports exactly which files changed within each tampered skill

Exit Codes

  • 0 — All skills verified
  • 1 — Unsigned skills detected
  • 2 — Tampered skills detected

No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…