Agent Trust Protocol
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed Moltbook username, domain, or post ID could cause the agent to run unintended local shell commands.
User-controlled CLI values such as username, domain, and post_id are concatenated into shell commands with shell=True, allowing shell metacharacters to execute local commands if untrusted data is passed through.
subprocess.run(f"python3 {ATP_PY} {args}", shell=True, ...); score_out = atp_cmd(f"trust score {username}{domain_flag}"); subprocess.run(f"python3 {moltbook_py} post {post_id}", shell=True, ...)Replace shell=True calls with argument-list subprocess.run(..., shell=False), validate usernames/domains/post IDs, and avoid reusing persisted bridge values as command text.
Running the demo may pollute or overwrite persistent trust records, which could affect future trust reports or agent decisions.
The demo intends to use isolated ATP data but performs trust add/interact/revoke/restore operations. The provided atp.py configuration stores ATP data under Path.home()/.atp, so unless overridden elsewhere, demo data can persist into the user's real trust graph.
# Isolated environments for each agent ... atp_env = {"ATP_DATA_DIR": atp_data} ... atp(f'trust add alpha --fingerprint ... --score 0.7', env=atp_env) ... atp('trust revoke bravo --reason "Attempted to distribute unsigned skill"', env=atp_env)Make ATP honor a documented data-directory override, run demos under a temporary HOME or explicit test database, warn users before mutating trust state, and provide reliable cleanup for demo-created records.
Old, test, or manually altered trust records could influence future decisions about which agents are trusted.
The skill persistently stores trust scores and interaction notes in local files that may influence later trust calculations.
ATP_DIR = Path.home() / ".atp"; TRUST_DB = ATP_DIR / "trust.json"; INTERACTIONS_DB = ATP_DIR / "interactions.jsonl"; f.write(json.dumps(record) + "\n")
Review ~/.atp regularly, protect it with normal file permissions, avoid sensitive notes, and treat trust scores as advisory rather than authoritative.
Local users or processes on the same machine may be able to read trust records and interaction notes while the dashboard is running.
The dashboard exposes trust and interaction records through unauthenticated localhost API endpoints. Binding to 127.0.0.1 is a limiting control, but local processes can still access it while running.
if self.path == "/api/trust": self._json_response(self._load_trust()) ... elif self.path == "/api/interactions": ... server = HTTPServer(("127.0.0.1", PORT), ATPHandler)Only run the dashboard when needed, stop it afterward, and avoid putting sensitive information in interaction notes.
Using the wrong or overly privileged signing key could affect agent identity and trust relationships.
The protocol relies on agent identity keys for signing and challenge-response, which is expected for the stated purpose but is sensitive identity material.
Each agent has an ed25519 keypair ... Agent A can challenge Agent B: "Sign this nonce with your key"
Use dedicated skillsign keys for this workflow and do not grant the skill access to unrelated private keys.
Future changes to the remote repositories could differ from the reviewed artifacts.
Installation guidance points to unpinned GitHub sources and an external companion project. This is user-directed and purpose-aligned, but provenance and version pinning are not documented.
git clone https://github.com/FELMONON/trust-protocol.git ... Pair with skillsign for identity: https://github.com/FELMONON/skillsign
Install from a reviewed commit or release tag, verify the companion skillsign code, and keep package metadata aligned with the reviewed source.