Openclaw Signet
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with local skill-integrity checking, but the bundled script advertises reject/quarantine/restore capabilities that can affect installed skills beyond the documented alert-only workflow.
Use this only if you are comfortable with a local Python script reading installed skill directories and writing a .signet trust manifest. Treat sign as establishing a trusted baseline, and do not allow reject, quarantine, restore, or protect actions unless you explicitly requested them and have backups. Verify the source or pin the repository before installing from Git.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user invokes those countermeasure paths, installed skills may be disabled, moved, or restored rather than merely reported as tampered.
The bundled script advertises high-impact countermeasures that can affect installed skills, while SKILL.md only documents sign, verify, list, and status commands.
plus automatic rejection of unsigned skills, quarantine of tampered ones, trusted snapshots, and restoration.
Document these commands clearly, require explicit user confirmation before any reject/quarantine/restore action, default to read-only verification, and scope mutations to a named skill unless the user explicitly requests bulk action.
A user may believe all installed skills are covered, while tampering with this verification skill itself may not be detected by its own checks.
The implementation excludes the Signet skill itself from skill discovery, which conflicts with broad claims that it signs or verifies all installed skills.
SELF_SKILL_DIRS = {"openclaw-signet", "openclaw-signet"}
...
if e.is_dir() and e.name not in SELF_SKILL_DIRSDisclose the self-exclusion prominently or add a separate self-verification mechanism so users understand the coverage limitation.
If the manifest is created after compromise or modified later, future verification can trust the wrong baseline.
The skill stores persistent file-hash trust state that later verification depends on.
manifest["skills"][sd.name] = {
"composite_hash": composite, "files": files,
"signed_at": now_iso(), "file_count": len(files),
}
...
save_manifest(ws, manifest)Run signing only from a known-good install state, protect the .signet manifest from unauthorized edits, and avoid re-signing after an unexpected tamper alert until the change is understood.
A user following the README could install whatever code is currently on the repository branch rather than a reviewed, immutable version.
The install documentation uses an unpinned Git clone, while the registry metadata lists the source as unknown and has no homepage.
git clone https://github.com/AtlasPA/openclaw-signet.git cp -r openclaw-signet ~/.openclaw/workspace/skills/
Prefer the reviewed registry package or pin the Git install to a specific audited commit or release.