ClawHub

SettlementWitness

v0.0.11

Verify structured agent task outputs with signed receipts and optional TrustScore attribution.

1· 1.7k·0 current·0 all-time
by@nutstrut
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the SKILL.md: it describes a deterministic verifier that accepts structured spec/output and returns a verdict and signed receipt. No unrelated binaries, env vars, or install steps are requested.
Instruction Scope
SKILL.md restricts inputs to structured task data and explicitly warns not to include secrets; it does not instruct reading local files or other system state. However, it references submitting data to an external endpoint (https://defaultverifier.com/settlement-witness), which is expected for a remote verifier but worth validating.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes on-disk risk; nothing is downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The optional agent identity (wallet address) is consistent with attribution/reputation use described in the doc; no excessive secrets are requested.
Persistence & Privilege
Flags show defaults (not always:true). The skill is user-invocable and can be called autonomously by the agent (normal behavior). It does not request persistent system privileges or modify other skills.
Assessment
This skill is internally coherent and minimal — it simply describes submitting structured task results to a verifier and receiving a signed receipt. Before using it: 1) Verify the external endpoint (https://defaultverifier.com/...) — confirm the operator, TLS certificate, and a privacy/data policy; the SKILL.md's domain looks like a placeholder and may not be trusted by default. 2) Never send secrets or private data; follow the skill's guidance to only submit minimal structured task data and, if possible, send synthetic/test inputs first. 3) Check the public keys URL (/.well-known/sar-keys.json) to confirm signatures can be independently verified and optionally validate a few sample receipts. 4) If you require stronger guarantees, host or run your own verifier implementation rather than relying on an unknown remote service. If you want, provide the actual verifier domain/operator or a sample receipt you received and I can help validate the signature and keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk979p8tgv4411gdz7sph3s9kz183vg6g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments