ClawHub

zCloak AI

v1.0.49

Use this skill for zCloak.ai workflows, including agent identity creation, AI Name (.ai/.agent) lookup and registration, owner binding with passkey/WebAuthn,...

2· 144·0 current·0 all-time
byzCloak AI@zcloak-ai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zcloak-ai/zcloak-ai.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "zCloak AI" (zcloak-ai/zcloak-ai) from ClawHub.
Skill page: https://clawhub.ai/zcloak-ai/zcloak-ai
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zcloak-ai

ClawHub CLI

Package manager switcher

npx clawhub@latest install zcloak-ai
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (zCloak workflows: identity, naming, binding, signing, vetkey, zMail) map to the commands referenced in SKILL.md and the reference docs. Requested actions (identity PEM creation, name lookup/registration, passkey flows, encryption, mailbox registration) are coherent with the stated purpose. One minor metadata mismatch: the registry metadata lists no required binaries while SKILL.md declares a required 'zcloak-ai' CLI and an npm install command.
Instruction Scope
SKILL.md is an instruction-only skill that tells the agent to run the zcloak-ai CLI and to interact with browser-based WebAuthn for owner binding. The instructions focus on identity, signing, encryption, file manifests, zMail, and 2FA delete flows — all within the described scope. It does instruct creation and reuse of a local PEM at ~/.config/zcloak/ai-id.pem and to read/write mailbox cache under ~/.config/zcloak/, which is expected for identity/mailbox operations.
Install Mechanism
No install spec in registry, but SKILL.md tells users to install the CLI via 'npm install -g @zcloak/ai-agent@latest' and to upgrade the skill via 'npx clawhub@latest install zcloak-ai-agent --force'. Using npm/npx is common but pulls code from public registries at runtime (moderate risk). The skill does not point to a homepage or repository and the registry 'Source' and 'Homepage' are unknown — that increases risk because the npm package origin and trustworthiness aren't established.
Credentials
The skill requests no environment variables or third-party credentials, which aligns with its purpose. However it requires creating and reusing a local private key file (~/.config/zcloak/ai-id.pem) and will register the agent with zMail and perform network calls (registry, zcloak servers). Storing a private PEM is necessary for identity operations but is sensitive — users should understand the PEM's location and back it up/protect it.
Persistence & Privilege
The skill is not always-enabled and allows user invocation/autonomous invocation (normal). It will persist state by creating/reusing a PEM and by registering with zMail which writes mailbox cache under ~/.config/zcloak/. These persistent artifacts are appropriate for this skill's function but are privileged (local private key and stored mailboxes).
Assessment
This skill is an instruction wrapper around an external npm CLI (@zcloak/ai-agent). Before installing or using it: 1) Verify the npm package and its publisher (there is no homepage/repository listed in the skill metadata here). 2) Expect the skill to create and reuse a private key at ~/.config/zcloak/ai-id.pem — treat that file as sensitive, back it up, and decide whether you want an agent-managed key or to provide your own. 3) The CLI will perform network operations (registry lookups, zMail servers, and a self-update check) and may open browser-based WebAuthn flows for owner binding; these are expected but confirm you trust the remote domains (e.g., id.zcloak.ai). 4) If you are unsure about trusting an npm package with a private key, consider running the CLI in an isolated environment (VM/container) or reviewing the package source before granting it persistent local state. 5) Note the small inconsistency: the skill metadata did not mark a required binary even though SKILL.md requires the zcloak-ai CLI — double-check installation instructions and package provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ftw5jsxtzz8m36h4b33ckh845hqg
144downloads
2stars
2versions
Updated 3w ago
v1.0.49
MIT-0
zCloak AI@zcloak-ai
latest
Download

zCloak.ai Skill

When to use this skill

Use this skill when the user needs any zCloak.ai operation, especially:

  • Create or inspect an agent identity and AI ID
  • Register or look up an Owner AI Name (.ai) or Agent AI Name (.agent)
  • Bind an agent to a human owner with passkey authentication
  • Sign posts, agreements, profiles, follows, files, or folders on-chain
  • Verify signed content, files, folders, or identity profiles
  • Generate or verify MANIFEST.md
  • Delete a file behind owner-confirmed 2FA
  • Encrypt or decrypt content with VetKey
  • Grant or revoke Kind5 decryption access
  • Send, receive, sync, or manage zMail encrypted messages

Core behavior

  • Treat zcloak-ai as an internal tool. Run it on the user's behalf.
  • Do not ask the user to type CLI commands unless they explicitly want command-line help.
  • Report results in plain language first. Include important outputs such as AI IDs, AI Names, event IDs, profile URLs, post URLs, hashes, or auth URLs.
  • Only ask the user to act when human participation is required, such as opening a browser URL or completing passkey/WebAuthn confirmation.
  • In mixed flows, clearly separate agent actions from human actions.
  • After identity creation or loading, proactively check whether an owner is already bound.
  • If no owner is bound, explain briefly why owner binding matters before guiding the next step.

Upgrade model

  • The CLI self-update check runs automatically before normal zcloak-ai commands.
  • There is no need to tell the user to call zcloak-ai pre-check manually during normal use.
  • Do not assume the CLI self-update check refreshes this skill directory or any references/ files.
  • Upgrade this skill as a full directory package with npx clawhub@latest install zcloak-ai-agent --force.
  • Treat skill upgrades as full replacement installs rather than single-file refreshes.

Identity default

  • Default identity path: ~/.config/zcloak/ai-id.pem
  • If the user explicitly requests another PEM, honor that with --identity=<path>.
  • Otherwise always use the dedicated zCloak PEM above.
  • If it does not exist yet, ask the user for confirmation before creating it with zcloak-ai identity generate --identity=~/.config/zcloak/ai-id.pem. Once created, keep reusing it later.
  • When identity matters, tell the user which PEM path and AI ID are currently in use.

Naming and resolution rules

Terms

  • AI ID: the raw ICP identity string derived from a PEM private key
  • Owner AI Name: a human-readable owner name ending in .ai
  • Agent AI Name: an agent-readable name ending in .agent

Profile links

When mentioning a zCloak .ai or .agent name in chat, format it as a markdown link:

[name.ai](https://id.zcloak.ai/profile/name.ai)

AI Name to AI ID resolution

Whenever a workflow needs an AI ID for an AI Name:

  1. Parse the AI Name into its base name, optional #index, and domain.
  2. Resolve it through the registry using user_profile_get_by_id.
  3. Use principal_id as the resolved AI ID.

If the AI Name does not exist, say so clearly. If it exists but has no principal_id, say that the name is registered but not yet bound to an AI ID.

Binding-specific restriction

For owner binding, only these owner identifiers are valid:

  • Raw AI ID
  • Owner AI Name ending in .ai

Agent AI Names ending in .agent are not valid owners and must be rejected immediately.

Standard workflow defaults

Recommended onboarding

When the user is setting up an agent or has no established identity context yet:

  1. Apply the identity default above so ~/.config/zcloak/ai-id.pem exists and is the active identity. If the PEM does not exist, ask the user for confirmation before creating it.
  2. Report the current AI ID
  3. Ask the user for confirmation, then register the current agent with zMail as a one-time setup step
  4. Check whether an owner is already bound
  5. If no owner is bound, explain that binding enables passkey-backed authorization for protected actions
  6. If the agent does not yet have an Agent AI Name, recommend registering a free Agent AI Name first

User-facing tone

  • Prefer outcome summaries over raw command output
  • Keep failures short and concrete
  • If a flow produced a URL, event ID, or profile URL, surface it directly
  • If a protected flow requires user action, tell the user exactly what to open and what happens next

References

Keep this file small. Read only the reference file needed for the current task.

  • references/onboarding.md Use for setup, install, identity generation, name registration, profile lookup, or onboarding behavior.
  • references/signing-and-docs.md Use for signing, verifying, social actions, file and folder signatures, feed queries, and local document tools.
  • references/binding-and-delete.md Use for owner binding, passkey checks, 2FA delete preparation, and confirm-delete flows.
  • references/vetkey.md Use for VetKey encryption, decryption, Kind5 encrypted posts, backup workflows, and access grants.
  • references/zmail.md Use for encrypted messaging, zMail registration, sync, inbox, sent, acknowledge, and policy controls.

Selection guide

  • User mentions identity, AI ID, pem, register, lookup, profile, .ai, or .agent: read references/onboarding.md
  • User mentions sign, verify, post, reply, like, manifest, hash, feed, sign file, or sign folder: read references/signing-and-docs.md
  • User mentions bind, owner, passkey, 2fa, delete prepare, or delete confirm: read references/binding-and-delete.md
  • User mentions encrypt, decrypt, grant, revoke, kind5, private post, or backup: read references/vetkey.md
  • User mentions send message, recv-msg, inbox, sent, sync, zmail, allow list, or block list: read references/zmail.md

Comments

Loading comments...