ClawHub
Back to skill
v1.1.0

Skillsign — ed25519 Skill Signing

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

This is a coherent local signing tool, but its verifier appears to rely on unsigned signer metadata for trusted-author and revocation status, which could make an untrusted signature look trusted.

GuidanceTreat this skill as requiring review before relying on it for trust decisions. Its local signing, key storage, and folder hashing are expected for its purpose, but the verifier should be fixed to bind the trusted fingerprint to the actual public key used for signature verification before users depend on `[TRUSTED]` output.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Hashes every file (SHA-256), builds a manifest, signs it with your private key. Creates `.skillsig/` inside the folder.

The tool recursively reads files in the selected folder and writes signature metadata. This is disclosed and central to the signing purpose, but users should understand the folder mutation.

User impactPointing the command at a broad or unintended folder could create manifests of file names and hashes and add `.skillsig/` metadata there.
RecommendationUse `sign` and `verify` only on intended skill folders, and review generated `.skillsig/` contents before publishing.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
setup.py
install_requires=["cryptography>=41.0.0"]

The external cryptography dependency is disclosed and appropriate for ed25519 signing, but it is not pinned to an exact version.

User impactInstallation depends on whichever compatible `cryptography` package version the environment resolves.
RecommendationInstall dependencies from a trusted package index and consider pinning or locking dependency versions in security-sensitive deployments.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
skillsign.py
dirs[:] = [d for d in dirs if d != SKILLSIG_DIR]
...
pub_key = load_public_key_bytes(signer["public_key"].encode("utf-8"))
data = manifest_bytes(stored_manifest)
...
fp = signer["fingerprint"]
revoked, rev_info = is_revoked_at(fp, signer.get("signed_at", ""))
trusted = is_trusted(fp)

The verifier excludes `.skillsig/` from the signed manifest, verifies only the manifest bytes, then uses `signer.json` fields for signer fingerprint, trust, timestamp, and revocation decisions. The shown code does not recompute the fingerprint from the loaded public key before checking trust.

User impactA malicious or altered signed folder could potentially verify with one public key while claiming the fingerprint of a trusted author, causing the output to show `[TRUSTED]` incorrectly.
RecommendationRecompute the fingerprint from the public key used for verification, reject any mismatch with signer metadata, use the recomputed fingerprint for trust and revocation checks, and consider signing or otherwise authenticating signer metadata and revocation-relevant timestamps.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Creates an ed25519 keypair in `~/.skillsign/keys/`. Share the `.pub` file. Keep the `.pem` file secret.

The skill creates and stores local signing credentials. This is purpose-aligned, but the private key controls the user's signing identity.

User impactIf the private `.pem` key is copied or exposed, someone else could sign skill folders as that identity.
RecommendationKeep private keys protected, back them up securely, and avoid sharing or uploading `.pem` files.