ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pact Skill

v0.3.0

PACT — Protocol for Agent Constitutional Trust. Five-chamber agent-to-agent trust and negotiation protocol. Handles identity verification, intent analysis, c...

0· 82·0 current·0 all-time
byGodman Protocols@skingem1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for skingem1/godman-pact.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pact Skill" (skingem1/godman-pact) from ClawHub.
Skill page: https://clawhub.ai/skingem1/godman-pact
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install godman-pact

ClawHub CLI

Package manager switcher

npx clawhub@latest install godman-pact
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description claims on‑chain attestations (EAS on Base), EIP‑712 dual signatures, DID resolution, ERC‑8004 verification, and HMAC session tokens. Those capabilities normally require private keys, RPC endpoints, and an SDK/library; the registry metadata declares no env vars, no installs, and no primary credential, which is disproportionate to the stated purpose.
!
Instruction Scope
The SKILL.md contains runtime guidance and a TypeScript import for '@godman-protocols/sdk' and references identity verification, signing, and on‑chain attestations. These instructions implicitly require access to keys, network endpoints, and signing facilities, but they do not specify what files, env vars, or endpoints to use. The prose also references integrations (LAX, DRS) without endpoints — this is vague and gives the agent broad discretion.
Install Mechanism
This is an instruction‑only skill with no install spec. That can be acceptable, but the SKILL.md explicitly imports an SDK package; without an install or dependency list, it's unclear whether the runtime environment actually provides the required SDK or how it will be obtained. Lack of a verified source/homepage increases uncertainty.
!
Credentials
No environment variables, credentials, or config paths are declared, yet the protocol described requires signing keys (for EIP‑712), secrets for HMAC, and blockchain RPC/provider access for attestations. The absence of declared secrets or a primary credential is disproportionate and could mask undisclosed requirements to provide sensitive keys later.
Persistence & Privilege
The skill is not marked 'always' and is user‑invocable (defaults). It does not request persistent system configuration or modify other skills according to the metadata. Autonomous invocation is allowed (platform default) but does not combine here with an 'always' flag or declared broad privileges.
What to consider before installing
This skill's description expects on‑chain signing, DID resolution, and secret keys, but the package declares no installs or environment variables. Before installing or enabling it: 1) Ask the publisher for a homepage, source code, and an explicit list of required env vars (wallet keys, RPC URLs, SDKs, endpoints). 2) Require the SDK to come from a trusted registry (npm/GitHub release) and inspect its code for where keys are used or transmitted. 3) Do not supply private keys or long‑lived credentials until you can verify the implementation; use ephemeral/test keys in an isolated environment first. 4) Request a clear privacy/audit statement about on‑chain attestations and any external endpoints (LAX/DRS). These steps will reduce ambiguity and the risk of secret exfiltration or unexpected on‑chain actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f6ag81etb6q1sxje7ckd9kd842d50
82downloads
0stars
1versions
Updated 3w ago
v0.3.0
MIT-0
Godman Protocols@skingem1
latest
Download

PACT — Protocol for Agent Constitutional Trust

"Negotiate before you integrate."

Use this skill when two agents from different systems need to establish trust before transacting. PACT provides a five-chamber protocol that handles the full lifecycle from first contact to secure session.

Five Chambers

import { pact } from '@godman-protocols/sdk';

// Chamber 1 — Public Entry Gate: rate limiting, DID resolution
// Chamber 2 — Identity Analysis: ERC-8004 verification, trust score → session ceiling
// Chamber 3 — Intent Analysis: 3-pass prompt injection scanner, coherence check
// Chamber 4 — Negotiation Room: capability declaration, payment terms, EIP-712 dual signature
// Chamber 5 — Secure Channel: capability-locked session token via HMAC(deal_hash + agent_did + expiry)

Trust Score → Session Ceiling

Score RangeCeilingDurationPrice Multiplier
85-100FULL24h1.0x
70-84STANDARD4h1.2x
50-69RESTRICTED1h1.5x
30-49MINIMAL15m2.0x
<30REJECTED
UnknownPROVISIONAL15m2.5x

When to Use

  • First contact between agents from different systems
  • Establishing trust before any data exchange or payment
  • Constitutional negotiation (what constraints each agent requires)
  • Creating capability-locked session tokens with automatic expiry

Notes

  • SOUL constraints override PACT sessions — never use PACT to bypass safety rules
  • Every PACT session produces an EAS attestation on Base (on-chain audit trail)
  • Integrates with LAX for discovery and DRS for deal receipts

Comments

Loading comments...