Skillsign — ed25519 Skill Signing
Sign and verify agent skill folders with ed25519 keys. Detect tampering, manage trusted authors, and track provenance chains (isnād).
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 3 · 1.8k · 1 current installs · 1 all-time installs
MIT-0
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, README, and the included Python code all implement signing, verification, trust list management, and provenance chaining for skill folders. There are no requests for unrelated credentials or external services; behavior aligns with stated purpose.
Instruction Scope
Runtime instructions tell the agent to generate keys under ~/.skillsign, create .skillsig/ inside target skill folders, hash files, sign manifests, and manage a local trust store. These actions are exactly what a signing tool needs. Note: the tool reads all files in the provided folder (expected) and writes signature metadata into the folder and the user's home directory.
Install Mechanism
No install spec is present beyond a pip dependency on the well-known 'cryptography' library. There are no remote downloads or unusual installer behavior in the provided files.
Credentials
The skill requests no environment variables, credentials, or system config paths beyond creating/using ~/.skillsign and writing .skillsig directories inside signed folders. Those filesystem accesses are proportional to a signing tool.
Persistence & Privilege
The tool persists keys and a trusted-author list under ~/.skillsign and writes .skillsig/ into target folders. This is expected for its function, but it does create persistent private key files (PEM, unencrypted) in the user's home directory which should be protected. The skill is not always-enabled and does not request elevated or cross-skill config access.
Assessment
This skill appears to be what it says: a local ed25519 signer/verifier for skill folders. Before installing or using it, consider the following:
- Inspect the full skillsign.py file yourself (the provided excerpt was truncated here) to confirm there are no network calls or unexpected behavior in the omitted portion.
- Protect private keys: the tool writes unencrypted PEM private keys to ~/.skillsign/keys with 0600 perms. If you need stronger protection, use hardware-backed keys or store privately encrypted keys.
- Revocation and timestamping are local and limited: revocation is local and there is no trusted timestamping authority or immutable chain linking. A compromised private key can sign malicious updates that look legitimate in the local chain.
- Use in a controlled environment: when first verifying third-party skills, run verification in an isolated environment and validate the public key out-of-band (e.g., via the author's published fingerprint) before adding to your trust list.
- Source provenance: the package metadata references a GitHub URL but the registry source is unknown; prefer installing or running code from sources you can vet (e.g., a trusted repository or your own copy).
If you want higher assurance, request the full, untruncated source and check that trust/revocation functions operate only on local files and do not contact external endpoints.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.1.0
Download zipcryptographyed25519latestsecuritysigningverification
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
skillsign
Cryptographic signing and verification for agent skill folders using ed25519 keys. Protects your skills from tampering and lets you verify who wrote them.
Install
pip3 install cryptography
That's the only dependency. The tool is a single Python file.
Commands
Generate a signing identity
python3 skillsign.py keygen
python3 skillsign.py keygen --name myagent
Creates an ed25519 keypair in ~/.skillsign/keys/. Share the .pub file. Keep the .pem file secret.
Sign a skill folder
python3 skillsign.py sign ./my-skill/
python3 skillsign.py sign ./my-skill/ --key ~/.skillsign/keys/myagent.pem
Hashes every file (SHA-256), builds a manifest, signs it with your private key. Creates .skillsig/ inside the folder.
Verify a skill folder
python3 skillsign.py verify ./my-skill/
Detects modified, added, or removed files. Verifies the cryptographic signature. Shows whether the signer is trusted.
Inspect signature metadata
python3 skillsign.py inspect ./my-skill/
Shows signer fingerprint, timestamp, file count, and all covered files with their hashes.
Trust an author
python3 skillsign.py trust ./their-key.pub
Adds a public key to your local trusted authors list.
List trusted authors
python3 skillsign.py trusted
View provenance chain (isnād)
python3 skillsign.py chain ./my-skill/
Shows the full signing history — every author who signed the folder, in order.
When to Use
- After installing a new skill — verify it hasn't been tampered with
- Before running untrusted code — check who signed it and whether you trust them
- Periodically — re-verify your skill folders to detect unauthorized modifications
- When publishing skills — sign your work so others can verify it came from you
- When auditing your agent's integrity — run verify on all your skill folders
Example Workflow
# First time: create your identity
python3 skillsign.py keygen --name parker
# Sign your skills
python3 skillsign.py sign ~/.openclaw/skills/my-skill/
# Later: check nothing changed
python3 skillsign.py verify ~/.openclaw/skills/my-skill/
# ✅ Verified — 14 files intact.
# Signer: ca3458e92b73e432 [TRUSTED]
# Someone tampers with a file:
python3 skillsign.py verify ~/.openclaw/skills/my-skill/
# ❌ TAMPERED — Files changed since signing:
# ~ main.py (modified)
# Trust another agent's key
python3 skillsign.py trust ./other-agent.pub
# View full provenance
python3 skillsign.py chain ~/.openclaw/skills/my-skill/
# === Isnād: my-skill/ (2 links) ===
# [1] ca3458e92b73e432 [TRUSTED]
# ↓
# [2] f69159d8a25e8e32 [UNTRUSTED]
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…