Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Know Your Agent (KYA) Implementation Playbook
v1.3.1Know Your Agent (KYA) Implementation Playbook. Build a production KYA verification pipeline: agent identity binding, authority scoping, runtime behavioral mo...
⭐ 0· 130·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an educational/platform-side implementation playbook. A documentation-only guide should not need a user's private signing key as a required runtime credential. Requiring AGENT_SIGNING_KEY is inconsistent with a purely instructional purpose unless the guide actually executes signing operations; the SKILL.md claims examples run against production endpoints, but that alone doesn't justify making a private key a required environment variable.
Instruction Scope
SKILL.md is large and appears to include runnable code examples that target GreenHelix production endpoints. The guide explicitly asks users to supply AGENT_SIGNING_KEY in their environment. Even if the guide 'does not execute code', marking the key as required will expose the secret to the agent runtime if installed. The instructions' scope (production endpoints + a required private key) raises risk of key misuse or accidental exfiltration.
Install Mechanism
No install spec and no code files beyond the markdown; nothing is written to disk by an installer. Instruction-only makes the installation risk low in itself.
Credentials
The skill demands a single sensitive environment variable, AGENT_SIGNING_KEY, declared as the primary credential. For a guide, this is disproportionate: documentation should use example/test keys or instruct users how to generate and use keys locally rather than require a secret. The requirement increases the risk surface because the agent runtime will have access to a private signing key if provided.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not declare modification of other skills or system settings. Autonomous invocation is allowed (platform default) but that by itself is not an escalated privilege here.
What to consider before installing
This playbook appears coherent as documentation but its requirement for AGENT_SIGNING_KEY is a red flag. Do not supply a real private signing key to this skill. Before installing or enabling it: (1) ask the author why the key is required and whether examples can use sandbox/test keys or key-generation instructions instead; (2) inspect the full SKILL.md for any code that transmits the key to external endpoints (the guide references GreenHelix production endpoints); (3) if you want to try examples, use an isolated environment and ephemeral/test keys, or a dedicated non-production account; (4) verify the source/author provenance — the registry shows 'unknown' homepage and an owner id only; and (5) prefer a version of the guide that does not declare sensitive secrets as required environment variables. If you must provide a key, restrict it to a test key with no production privileges and rotate/revoke it afterwards.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk975y8pp3rg5w4n8bk0zn9dzjs84wh1rcompliancevk975y8pp3rg5w4n8bk0zn9dzjs84wh1reu-ai-actvk975y8pp3rg5w4n8bk0zn9dzjs84wh1rgreenhelixvk975y8pp3rg5w4n8bk0zn9dzjs84wh1rguidevk975y8pp3rg5w4n8bk0zn9dzjs84wh1ridentityvk975y8pp3rg5w4n8bk0zn9dzjs84wh1rkyavk975y8pp3rg5w4n8bk0zn9dzjs84wh1rlatestvk975y8pp3rg5w4n8bk0zn9dzjs84wh1ropenclawvk975y8pp3rg5w4n8bk0zn9dzjs84wh1rtrustvk975y8pp3rg5w4n8bk0zn9dzjs84wh1rverificationvk975y8pp3rg5w4n8bk0zn9dzjs84wh1r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvAGENT_SIGNING_KEY
Primary envAGENT_SIGNING_KEY