ClawHub

Agent Mandate Protocol

v1.0.1

Use A-MAP (Agent Mandate Protocol) to verify incoming agent requests, sign outgoing requests, and delegate permissions to sub-agents. Covers the full cryptog...

1· 107·0 current·0 all-time
byShu-Yu (Jimmy) Lee@jimmyshuyulee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe an A-MAP JS SDK usage pattern. Required binaries (node, npm) and required env vars (AMAP_PRIVATE_KEY for signing, SENDER_PUBKEY for verifying) match the documented operations and are expected for a TypeScript/Node usage guide.
Instruction Scope
SKILL.md contains step-by-step usage for verifyRequest, signRequest, and delegation. It does not instruct reading unrelated files, harvesting unrelated env vars, or sending data to hidden endpoints. It explicitly warns about guardrails (do not log private key, use shared nonce store in production).
Install Mechanism
This is an instruction-only skill (no install spec). It shows an npm install command as a usage suggestion but does not perform any automatic downloads. Instruction-only is the lowest-risk install model.
Credentials
Only two env vars are required: AMAP_PRIVATE_KEY (private key used to sign) and SENDER_PUBKEY (public key used to verify a sender DID). Both are directly justified by the skill's cryptographic signing/verification purpose and are minimal for that functionality.
Persistence & Privilege
The skill is not always-enabled, does not request system config paths, and does not instruct changing other skills' configurations. It does not request persistent privileges beyond normal runtime environment variables.
Assessment
This skill is an instruction-only guide to using the A-MAP JS SDK and is internally consistent with that purpose. Before using it: 1) treat AMAP_PRIVATE_KEY as a high-value secret—store it in a secrets manager, never check it into source or logs, and use a dedicated key with limited scope and rotation. 2) Verify the npm package and GitHub repository provenance before installing (@agentmandateprotocol/core); run an npm audit and review package code if you will run it in production. 3) Do not rely on the provided InMemoryNonceStore in multi-instance deployments—use a shared store (Redis, Cloudflare KV) as the docs warn. 4) Ensure your environment clock is correct (timestamps are enforced). 5) Ensure SENDER_PUBKEYs are distributed securely out-of-band and that public keys are validated. 6) Because this is instruction-only, the skill will not auto-install anything; running the SDK requires you to install and vet dependencies yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rk261rm6741e6n1bep6pb983396e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm
EnvAMAP_PRIVATE_KEY, SENDER_PUBKEY

Comments