SchemaPin
PassAudited by ClawScan on May 1, 2026.
Overview
SchemaPin is a coherent instruction-only guide for adding schema signing and verification, with expected notes around external package installs, TOFU pinning, and local skill-folder signing.
Before using this skill, verify that the SchemaPin packages and documentation are from the publisher you trust, pin dependency versions where appropriate, and understand that the first trusted key may be remembered for future verification.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the wrong or compromised package could affect projects that adopt the library.
The guide directs users to install external packages from package managers. This is expected for a development integration guide, but users should verify the package names, versions, and publisher provenance.
pip install schemapin ... npm install schemapin ... go get github.com/ThirdKeyAi/schemapin/go@v1.3.0 ... schemapin = "1.3"
Verify the official package source, prefer pinned versions where practical, and review dependency provenance before adding it to a project.
If the first key is obtained from an untrusted or compromised source, future checks may continue trusting that initial key.
TOFU creates a persistent trust decision based on the first observed key. This is central to SchemaPin's purpose, but a bad first pin can affect later verification until reviewed or reset.
On first verification, the developer's public key fingerprint is pinned. Subsequent verifications reject different keys for the same domain
Use trusted discovery sources, review initial pins for important domains, and provide a process to rotate or reset pins when needed.
Running the signing workflow on the wrong directory could create manifests containing file paths and hashes for unintended files.
The documented SkillSigner feature reads files from a skill directory and writes a signature manifest. This is purpose-aligned, but users should run it only on intended skill folders.
`canonicalize_skill()`: Recursively walks skill directory ... hashes each file ... `sign_skill()`: ... Writes `.schemapin.sig` JSON
Confirm the target directory before signing and review the generated `.schemapin.sig` manifest before sharing or publishing it.