ClawHub

OCC for OpenClaw

v1.1.1

OCC (Origin Controlled Computing) — cryptographic proof of every OpenClaw agent action. Install, configure, and audit.

0· 415·0 current·0 all-time
byMike@mikeargento
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as an OpenClaw plugin that commits OCC proofs; the SKILL.md instructs installing the npm package (openclaw-occ), configuring ~/.openclaw/workspace/occ.json, and optionally deploying a Cloudflare Worker notary. Those requirements are consistent with a plugin that records and posts proofs to notaries. Note: registry metadata listed no required binaries, but SKILL.md lists npm, npx, curl, and wrangler as required — this is a minor metadata mismatch but not a functional inconsistency.
Instruction Scope
The instructions stay within the plugin's stated scope: install the npm package, create the occ.json config, optionally deploy a Cloudflare Worker, and run verification commands (npx occ-verify, occ audit). The SKILL.md does not instruct reading unrelated system files or harvesting credentials. It does, however, instruct making network calls to the configured notary endpoints (default remote or user-supplied).
Install Mechanism
This is an instruction-only skill (no install spec), but it tells users to run `npm install -g openclaw-occ` and to use npx/wrangler for deployment. Installing a global npm package will download and install code from the npm registry, which is normal for this use-case but carries typical supply-chain and execution risks — the SKILL.md points to source and docs, which helps auditing.
Credentials
No environment variables or unrelated credentials are requested by the skill. The only additional credentials implied are for self-hosting (a Cloudflare account and authenticated wrangler) if the user chooses that path, which is expected and proportional to the self-hosting option. The default remote notary receives compact proof metadata (tool name, timestamp, hash, counter) per the documentation.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request system-wide persistent privileges beyond installing a plugin package (global npm) and writing files under ~/.openclaw/workspace/, which is consistent with its purpose.
Assessment
This skill appears to do what it says, but take normal precautions before installing: 1) Review the npm package source (the SKILL.md links to the GitHub repo) before running `npm install -g` — global npm installs run code on your machine. 2) If you care about privacy, use "mode": "stub" (local-only) or self-host a notary; the default uses a third-party workers.dev notary that will receive compact proof metadata (tool name, timestamp, hash, counter). 3) Note the small metadata mismatch: registry metadata said no required binaries, but the SKILL.md lists npm, npx, curl, and wrangler — make sure those tools are acceptable in your environment. 4) If you will deploy the Cloudflare Worker, ensure you understand and secure your Cloudflare account and KV namespace. 5) Prefer verifying signatures/offline verification of saved public keys before trusting remote proofs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fhk7bkbdnrpyymg1zvp5svx8209aj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis

Comments