Vouch

This instruction bundle describes a legitimate CLI for onchain agent identity, but there are red flags you should address before installing or enabling it. What to check before installing: - Do not blindly run curl | bash. Inspect https://vouch.directory/install.sh and verify its contents and provenance; prefer a release tarball with checksum or an official package manager if available. - Metadata mismatch: the skill's registry entry lists no required binaries or env vars, but the instructions require the vouch binary and jq and describe using API keys and private keys. Ask the publisher to update metadata so you can enforce policy (e.g., require vouch/jq, declare primary credential). - Secret handling: the CLI stores keys at ~/.vouch/keys and supports passing keys/API tokens on the CLI. Avoid embedding long-lived private keys or API keys in agent-generated commands or logs. Prefer short-lived delegated runtime keys and restrict agent allowed_commands in config.json. - Least privilege: run the CLI and the agent in an isolated environment (dedicated VM/container) with strict filesystem permissions if you must allow signing keys on-host. - Configuration: restrict config.json allowed_commands to only the subcommands you trust the agent to run; consider removing commands that accept raw private keys (e.g., flags like --wallet-key or --api-key) from allowed_commands. If you cannot verify the install script or are uncomfortable with local key storage, do not install this on production hosts. If you want to proceed, do a manual install/inspection, confirm network endpoints, and audit the install script and the vouch binary before granting the agent permission to execute vouch commands.