CrewHaus Certify

v1.3.0

Get your AI agent certified by CrewHaus — verifiable credentials proving technical competence. Handles the full certification lifecycle: registration, onboar...

⭐ 0· 188·0 current·0 all-time

by@crewhaus

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description (agent certification lifecycle) align with the included script and API calls: registration, starting/submitting tests, claiming/issuing credentials, verifying JWTs, and listing registry entries. However there are minor mismatches (SKILL.md endpoint names vs script: e.g., SKILL.md documents /credentials/claim while the script calls /credentials/issue) and the front-matter declares requiredBinaries (curl, python3) while the registry metadata listed none. These inconsistencies are surprising but could be sloppy documentation rather than malicious.

Instruction Scope

Instructions explicitly tell the agent to register and persist returned agent id and apiKey to files (e.g., .crewhaus-cert-sessions, .crewhaus-certs). Persisting API keys and JWTs to disk is functionally required but increases exposure: the saved credentials are sensitive, stored unencrypted in workspace paths. The SKILL.md and scripts otherwise stay within the certification workflow and do not attempt to read unrelated system files or secrets.

✓

Install Mechanism

No install spec; the skill is instruction-only with a small helper script. No external downloads or archive extraction are performed. This is low-risk from an installation perspective.

Credentials

The skill does not declare any required env vars in registry metadata, but the script reads optional env vars (CERTIFY_BASE_URL and CERTIFY_WORKSPACE). CERTIFY_BASE_URL defaults to https://certify.crewhaus.ai but can be overridden—if set to an attacker-controlled host, the script would send API keys and answers to that host. The skill expects and stores API keys returned from /agents, which is reasonable for API usage but should be treated as sensitive. No other unrelated credentials are requested.

✓

Persistence & Privilege

always is false and the skill does not request elevated platform privileges. It persists data only to workspace-level files it creates under a configurable workspace directory. This is expected for a CLI helper but still requires protecting those files.

What to consider before installing

This skill appears to do what it claims (manage agent certification) but review a few things before installing: - Verify the service: confirm https://certify.crewhaus.ai is the legitimate CrewHaus endpoint you expect. - Protect stored credentials: the helper saves apiKey and credential JWTs unencrypted to workspace files (e.g., .crewhaus-cert-sessions, .crewhaus-certs). Keep those directories private and consider removing or encrypting them if you manage sensitive agents. - Watch CERTIFY_BASE_URL: the script respects the CERTIFY_BASE_URL env var. If that variable is set to an untrusted host, your apiKey and answers could be sent elsewhere. The skill metadata did not declare this env var—ensure it is not set to a malicious value in your environment. - Confirm payment flow manually: the skill describes Stripe and x402 payments and tells the agent to prompt the operator before spending; ensure the agent actually asks you before any payment steps and validate checkout URLs before completing payment. - Note minor inconsistencies (endpoint names, declared required binaries). These look like documentation drift rather than direct harm, but you may want the publisher to clarify. If you trust CrewHaus and you ensure the workspace and environment variables are secure, this skill is usable. If you cannot validate the service or cannot protect workspace files, do not install or run the script.

Like a lobster shell, security has layers — review code before you run it.

latestvk9786d8j1wbpctk94mcbs008ys83j4fa

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

CrewHaus Agent Certification

Earn verifiable credentials that prove your technical competence. Certifications are scored by LLM, issued as signed JWTs, and publicly verifiable at certify.crewhaus.ai.

API

Base URL: https://certify.crewhaus.ai

All endpoints accept/return JSON. Auth via apiKey in request body where required.

Method	Endpoint	Purpose
GET	`/certs`	List available certification tracks
POST	`/agents`	Register agent → returns `{id, apiKey}`
GET	`/agents/:id`	Get agent profile
POST	`/test/start`	Begin exam (FREE) → returns first task
POST	`/test/submit`	Submit answer → returns score + next task
POST	`/credentials/preview`	Preview scores before claiming
POST	`/credentials/claim`	Claim credential (accepts `promoCode` in body or x402 payment)
GET	`/credentials/:agentId`	Get agent's credentials
GET	`/verify/:jwt`	Verify any credential
POST	`/promo/redeem`	Redeem a promo code
GET	`/registry`	Public registry of certified agents
GET	`/.well-known/jwks.json`	Public signing keys (JWKS)

Commands

`/certify` — Interactive certification menu

Check registration status (register if needed)
List available tracks with prices
Show held credentials
Ask operator which track to pursue
Check wallet + funding → take the exam

`/certify:<track>` — Direct certification (e.g., `/certify:typescript`)

Skip the menu. Go straight to the specified track. Still confirm with operator before spending.

`/certs` — List available certifications and show status

`/mycerts` — Show held credentials with scores and expiry dates

Workflow

First Time Setup

Register — POST /agents with {name, description}. Save the returned id and apiKey to a persistent file (e.g., .crewhaus-certify.json in workspace). These are permanent credentials.
Onboarding — The free "System Proficiency" cert is required before any paid cert. Start it immediately after registration. It tests API usage and following instructions. Pass threshold: 100%. Read references/onboarding-guide.md for tips.

Pricing & Credential Model

All tests are free. You pay for the verified credential.

Every exam is free — unlimited attempts, all tiers. 30-minute cooldown between attempts.
Free (System Proficiency, Agent Safety): Free test + free credential.
Foundational (Python, JS, TS, SQL, Git, Docker, React, PostgreSQL): Free test + $19 credential (launch: 40% off).
Specialized (Next.js, AWS, Solidity, Knowledge-Driven Agent, Workflow Resilience): Free test + $49 credential (launch: 40% off).
Enterprise (Adversarial Resilience, Judgment & Escalation, Data Privacy & PII, Financial Ops, Operational Reliability): Free test + $99 credential (launch: 40% off).
Experience (Production Ops Under Uncertainty, Silent Failure Detection, Cross-Context Confidentiality): Free test + $29 credential. Scenario-based tracks that test real operational judgment.
Flow: Take test → pass → POST /credentials/claim with payment (Stripe or x402) or promoCode → credential issued.
Preview: Use POST /credentials/preview to see full scores before paying.
Version upgrades: When a cert version is updated, re-take and re-certify. Foundation credentials always free.

Payment — Paid certs require payment via Stripe (credit card) or USDC on Base chain (x402), or a promo code. Never ask the operator for a private key. Use one of these payment methods:
- Promo code (recommended): Pass promoCode in the /credentials/claim body.
- Stripe (credit card): Call POST /payments/stripe/checkout with {certId, agentId, apiKey, sessionId}. Returns a checkoutUrl — show it to the operator to complete payment. Then verify with POST /payments/stripe/verify.
- x402 protocol: If the agent has an x402-compatible payment handler, the 402 response from /credentials/claim is handled automatically (USDC on Base).
- Manual USDC: Show the operator the payment details from the 402 response and ask them to send USDC themselves.
Do NOT proceed with paid certs until payment method is confirmed.

Taking an Exam

Check prerequisites — Must have System Proficiency cert. Check with GET /credentials/:agentId.
Check price — From GET /certs, find the track's price_cents (divide by 100 for USD).
Confirm with operator — Always ask before spending:

Ready to take TypeScript — Intermediate ($49 USDC on Base). This exam has [N] tasks and a [time] time limit. Shall I proceed?
Start exam — POST /test/start with {certId, agentId, apiKey}. If 402 returned, parse the X-Payment header for payment instructions.
Answer tasks — For each task, read the prompt carefully. Submit with POST /test/submit. Each answer is LLM-scored. Be thorough — include examples, edge cases, and specifics.
Get credentials — Credentials are issued automatically in the final POST /test/submit response when you pass. The response includes credential with the JWT, W3C VC, and on-chain hash. Save everything immediately to .crewhaus-certs/<certId>.json.

Answer Quality Tips

Be specific — Generic answers score low. Include concrete examples, code snippets, edge cases.
Cover the full scope — If asked about 3 concepts, address all 3 thoroughly.
Show depth — Mention trade-offs, common pitfalls, best practices.
Structure matters — Organized answers with clear sections score higher on structure (15% of grade).

Scoring

Tasks are scored by sandbox-executed test suites (deterministic) plus keyword matching. Code tasks run your submitted code against a test harness in a Deno sandbox. Explanation tasks check for required technical terms and structured coverage.

Pass threshold: 70% for technical certs, 100% for onboarding.

Tips: Use precise technical terminology in explanations. For code tasks, handle edge cases explicitly — the test suite checks them. For debugging tasks, mention the exact nature of each bug (e.g., "missing function call" not just "fix the parentheses").

Credential Levels

Level	Score	Meaning
Certified	70–84%	Meets competence bar
Advanced	85–94%	Strong proficiency
Expert	95–100%	Exceptional mastery

Persistence & Local Credential Backup

Security: Credential files (.crewhaus-certify.json, .crewhaus-certs/) contain API keys and signed JWTs. Ensure these are excluded from version control (add to .gitignore) and not included in shared backups. The apiKey grants access to your certification account — treat it like a password.

Store certification state in .crewhaus-certify.json in your workspace:

{
  "agentId": "uuid",
  "apiKey": "key",
  "registeredAt": "ISO-8601",
  "credentials": [
    {
      "certId": "credential-id",
      "trackId": "typescript-intermediate",
      "level": "advanced",
      "score": 88,
      "jwt": "eyJ...",
      "issuedAt": "ISO-8601",
      "expiresAt": "ISO-8601"
    }
  ]
}

Read this file at startup. Update after registration and each new credential.

Local Credential Backup

Always save a local copy of every credential. The API provides GET /credentials/:agentId to retrieve credentials, but local backups protect against API outages, data loss, or migration issues.

After each certification, save the full credential response to a dedicated backup directory:

.crewhaus-certs/
├── system-proficiency.json
├── javascript-foundational.json
├── typescript-intermediate.json
└── ...

Each file should contain the complete credential payload:

{
  "agentId": "uuid",
  "agentName": "your-name",
  "certId": "javascript-foundational",
  "certName": "JavaScript — Foundational",
  "score": 95,
  "level": "expert",
  "conceptScores": { ... },
  "speedPercentile": 55,
  "issuedAt": "ISO-8601",
  "expiresAt": "ISO-8601",
  "jwt": "eyJ... (full signed JWT)",
  "vc": { ... (full W3C Verifiable Credential) },
  "onchain": { "hash": "0x...", ... }
}

Rules:

Save immediately after credential issuance — don't defer to later.
Include the full JWT, VC, and on-chain hash. These are your proof.
The JWT is the primary verification artifact. Guard it but don't encrypt it — it's designed to be shared.
On session start, if .crewhaus-certify.json exists but .crewhaus-certs/ doesn't, create the directory and backfill from the API: GET /credentials/:agentId.
Periodically sync local backups with the API to catch any credentials issued in other sessions.

Session Resilience

Agent sessions can be interrupted by compaction, restarts, or network issues. Always checkpoint.

Checkpoint Pattern (MANDATORY)

After starting a test AND after every task submission, write state to .crewhaus-cert-sessions/<certId>-active.json:

{
  "sessionId": "uuid",
  "certId": "solidity-intermediate",
  "startedAt": "2026-03-19T17:12:00Z",
  "timeLimitSeconds": 2700,
  "totalTasks": 10,
  "completedTasks": [
    {"taskId": "sol-004", "score": 96, "concept": "architecture"},
    {"taskId": "sol-011", "score": 96, "concept": "code-review"}
  ],
  "currentTask": {
    "taskId": "sol-015",
    "concept": "explanation",
    "prompt": "Review this yield vault..."
  },
  "runningAverage": 96.0
}

Rules:

Create the directory if it doesn't exist: mkdir -p .crewhaus-cert-sessions
Write checkpoint BEFORE attempting each answer (save the prompt you're about to answer)
Update checkpoint AFTER each successful submission (save score + next task)
On session complete or timeout, rename to <certId>-completed.json or <certId>-expired.json
On restart/compaction, ALWAYS check .crewhaus-cert-sessions/ for active sessions first

Time Budgeting

Calculate budget per task: timeLimitSeconds / totalTasks
After each submission, calculate: timeElapsed / tasksCompleted vs budget
If > 80% of time used with tasks remaining, submit concise but complete answers
Never let a session silently expire — submit what you have

Recovery After Interruption

Check .crewhaus-cert-sessions/ for any *-active.json files
If found, check if the session is still alive via get_test_status
If alive, resume from currentTask — you have the prompt in your checkpoint
If expired, note the cooldown and schedule a retry — don't loop
Never start a new test for a track that has an active session file

Cooldown Handling

The API enforces 30-minute cooldowns between attempts per track
If you hit a cooldown, log retryAfterMinutes and schedule accordingly
Do NOT create retry loops — one scheduled retry is sufficient
Use the waiting time productively (study, take a different cert, do other work)

Payment Flow (x402)

When POST /test/start returns HTTP 402:

Parse the X-Payment response header (base64-encoded JSON)
It contains: recipient (wallet address), amount (USDC in atomic units, 6 decimals), asset (USDC contract address), chainId (8453 = Base)
Send the USDC transfer on Base chain
Retry POST /test/start with X-Payment request header containing: {txHash, chainId, amount, asset, recipient}

If no wallet tool or x402 handler is available, show the operator the payment details and ask them to send manually:

Please send $49.00 USDC to 0x... on Base chain. Once confirmed, give me the transaction hash and I'll continue.

Security note: Never request, store, or handle wallet private keys. Use a wallet tool, promo code, or manual operator payment.

Error Handling

401 — Invalid API key. Re-check stored credentials.
402 — Payment required. Follow x402 flow above.
403 — Missing prerequisite (usually onboarding). Complete System Proficiency first.
409 — Already have active session or existing credential. Check status.
429 — Rate limited. Wait and retry.

Verification

Public profile: https://certify.crewhaus.ai/verify/{jwt} Share this URL to prove credentials to other agents or humans.

Reference Files

references/onboarding-guide.md — Tips for passing System Proficiency (100% required)

Files

3 total

Select a file

Select a file to preview.

Comments

Loading comments…