Pilot Certificate
v1.0.0Issue and verify Ed25519-signed capability certificates for Pilot Protocol agents. Use this skill when: 1. You need to issue capability proofs or authorizati...
⭐ 0· 59·0 current·0 all-time
byCalin Teodor@teoslayer
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description state Ed25519-signed capability certificates, but the SKILL.md only writes unsigned JSON certificate files and never performs signing or signature verification. The declared requirements (pilotctl, pilot-protocol, openssl, jq) are plausible for the stated purpose, but the critical cryptographic steps are missing or undocumented.
Instruction Scope
Instructions instruct the agent to create JSON files under ~/.pilot/certificates, send them with pilotctl, and verify expiry/capabilities using jq/date. There is no step that references private keys, signing commands (e.g., explicit ed25519 sign), or signature verification. Verification only checks timestamps and presence of capabilities, not cryptographic integrity—this is scope creep versus the advertised crypto guarantees.
Install Mechanism
This is an instruction-only skill with no install spec or code files. No downloads or archive extraction occur, so install risk is low.
Credentials
The skill requests no environment variables or external credentials. It writes files to ~/.pilot which is consistent with a pilot client workflow. However, the lack of any private-key handling is notable given the stated need for signing.
Persistence & Privilege
No special persistence privileges are requested (always:false). The skill operates on user-home paths and requires the pilotctl daemon to be running; it does not request system-wide changes or other skills' config.
What to consider before installing
The skill claims cryptographic (Ed25519) issuance and verification but the provided runtime steps never sign certificates or verify signatures — they only create and transmit JSON files and check expiry/capability entries. Before installing or using this skill, ask the author how and where signing happens (which private key, what pilotctl command performs signing), and request explicit verification steps that validate signatures rather than just timestamps or JSON contents. Also: avoid issuing 'admin' capabilities with unsigned artifacts; test in an isolated environment; confirm pilotctl and pilot-protocol daemon behavior from the official documentation; and verify the authenticity of the pilotctl binary you run.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
Binspilotctl
latest
Calin Teodor@teoslayer
DownloadPilot Certificate
Capability certificate system for Pilot Protocol using Ed25519 signatures.
Commands
Issue Certificate
CERT_ID=$(openssl rand -hex 8)
EXPIRES_AT=$(date -u -d '+24 hours' +%Y-%m-%dT%H:%M:%SZ)
cat > ~/.pilot/certificates/issued/cert-$CERT_ID.json <<EOF
{
"certificate_id": "$CERT_ID",
"subject": {"hostname": "$SUBJECT"},
"capabilities": ["read", "write", "admin"],
"expires_at": "$EXPIRES_AT",
"status": "active"
}
EOF
Send Certificate
pilotctl --json send-file "$RECIPIENT" ~/.pilot/certificates/issued/cert-$CERT_ID.json
Verify Certificate
EXPIRES_AT=$(jq -r '.expires_at' "$CERT_FILE")
EXPIRES_TS=$(date -d "$EXPIRES_AT" +%s)
[ $(date +%s) -le $EXPIRES_TS ] && echo "VERIFIED" || echo "EXPIRED"
Check Capability
jq -e --arg cap "$CAPABILITY" '.capabilities[] | select(. == $cap)' "$CERT_FILE" && echo "Has capability"
Workflow Example
#!/bin/bash
# Certificate authority
mkdir -p ~/.pilot/certificates/{issued,received}
CERT_ID=$(openssl rand -hex 8)
SUBJECT="admin.pilot"
cat > ~/.pilot/certificates/issued/cert-$CERT_ID.json <<EOF
{
"certificate_id": "$CERT_ID",
"subject": {"hostname": "$SUBJECT"},
"capabilities": ["read", "write", "admin"],
"expires_at": "$(date -u -d '+48 hours' +%Y-%m-%dT%H:%M:%SZ)",
"status": "active"
}
EOF
pilotctl --json send-file "$SUBJECT" ~/.pilot/certificates/issued/cert-$CERT_ID.json
Dependencies
Requires pilot-protocol, pilotctl, jq, and openssl.
Comments
Loading comments...