ClawHub

JEP-Guard Audit

v1.0.0

JEP-Guard Audit Skill — Strict JEP-04/JAC-01 Compliant Audit Chain with Friendly API Layer

0· 44·0 current·0 all-time
byJEP (Judgment Event Protocol)@schchit

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for schchit/jep-guard-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "JEP-Guard Audit" (schchit/jep-guard-audit) from ClawHub.
Skill page: https://clawhub.ai/schchit/jep-guard-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jep-guard-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install jep-guard-audit
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name, description, API (ingest / chain / export), and code files align: the adapter, codec, and engine implement mapping, canonicalization, hashing, and rule checks consistent with a JEP-04/JAC-01 audit chain. Minor mismatch: some docstrings claim nonce generation may use event_id as seed but the code always generates a fresh UUIDv4. More importantly, the code claims strict JWS signature handling but only performs presence checks rather than real cryptographic verification (see codec.verify_jac_core and core.signature_valid usage). For a compliance/audit skill, cryptographic signature verification is material.
Instruction Scope
SKILL.md and the FastAPI entrypoint describe only the audit API and schema; runtime instructions do not request unrelated files, env vars, or external endpoints. However the implementation uses a placeholder approach for signature verification (treating any non-empty sig as valid in some checks), which is scope creep in the sense that the skill advertises strict protocol compliance but omits the critical crypto verification step. Also, the provided core.py content in the review is truncated, preventing confirmation that export and other logic do not contact external endpoints or perform additional I/O.
Install Mechanism
No install spec is provided (instruction-only at registry-level). The manifest lists reasonable Python dependencies (fastapi, uvicorn, pydantic) appropriate for a web API. There are no download URLs, no obscure installers, and no package manager scripts embedded in the skill package. Users will need to pip-install the listed dependencies to run the API.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The code also does not read env vars in the reviewed portions. This is proportionate to a local audit service that does not integrate with external cloud providers or secret stores.
Persistence & Privilege
Skill flags are default (not always:true). It runs as a user-invocable FastAPI service and does not request persistent system privileges or modify other skills. Deploying it will expose an HTTP API — users should treat that as an operational concern (authentication, network exposure), but the skill itself does not assert elevated platform privileges.
Assessment
This package appears to implement the advertised audit chain API and protocols, but before installing or deploying it consider the following: (1) Cryptography: the code currently treats signatures as a presence check rather than performing real JWS signature verification — do not rely on it for legal/regulatory evidence until proper signature checks are implemented and audited. (2) Incomplete review: the provided core.py excerpt was truncated in the review package — obtain and inspect the complete source to ensure there are no hidden network calls, telemetry, or storage behaviors. (3) Deployment: the skill exposes an HTTP API (uvicorn/FastAPI); if you run it, protect the endpoint (authentication, TLS, network controls) and validate retention/storage meets regulatory needs (EU AI Act retention rules). (4) Supply chain: pip-install the declared dependencies from trusted registries and run the included unit tests in an isolated environment to confirm behavior. (5) If you need this for compliance evidence, require a cryptographic verification audit (implement/verify JWS verification and secure key management) before accepting chain outputs as authoritative.

Like a lobster shell, security has layers — review code before you run it.

accountabilityvk97a21pas5y5r488jx2hgp5rxh85kb73ai-actvk97a21pas5y5r488jx2hgp5rxh85kb73auditvk97a21pas5y5r488jx2hgp5rxh85kb73compliancevk97a21pas5y5r488jx2hgp5rxh85kb73guardvk97a21pas5y5r488jx2hgp5rxh85kb73jacvk97a21pas5y5r488jx2hgp5rxh85kb73jepvk97a21pas5y5r488jx2hgp5rxh85kb73latestvk97a21pas5y5r488jx2hgp5rxh85kb73
44downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
JEP (Judgment Event Protocol)@schchit
accountabilityai-actauditcomplianceguardjacjeplatest
Download

JEP-Guard Audit Skill

Strict JEP-04 / JAC-01 Compliant Audit Chain

Architecture

Three-layer design:

  1. GuardSkill — Friendly API (issuer, assertion, target)
  2. JEPAdapter — Maps friendly fields to strict JEP-04
  3. JEPCodec — Strict protocol implementation (jep, verb, who, when, what, nonce, aud, ref, sig)

Protocol Alignment

JEP-04 FieldAPI FieldNotes
jep(auto)Fixed to "1"
verbprimitiveJ/D/T/V
whoissuerActor DID
whentimestampISO → Unix seconds
whatassertionSHA-256 multihash
nonce(auto)UUIDv4
audtargetRecipient
refprev_event_id / verify_ofChain link
sigsignatureJWS
task_based_onparent_task_hashJAC-01 causality

Compliance Standards

  • EU AI Act — Article 12 record-keeping, 6-year retention
  • California SB 1047 — 72-hour critical incident reporting
  • Colorado SB 205 — Algorithmic impact assessment + appeal logs
  • Generic JEP-01 — Baseline accountability tracing

Cognitive Emergence Lab
yuqiang@humanjudgment.org

Comments

Loading comments...