Coverify
v0.4.3CoVerify by MO§ES™ — the falsification instrument for the Commitment Conservation Law. Extract kernels, score Jaccard, detect ghost tokens, run model swap te...
⭐ 0· 243·1 current·2 all-time
byburnmydays@sunrisesillneversee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and SKILL.md: the Python scripts implement extraction, Jaccard comparison, ghost-token reporting, and a model-swap test harness. There are no unrelated environment variables, binaries, or external credentials requested.
Instruction Scope
SKILL.md instructs the agent to run the included Python scripts and to use a local audit ledger at ~/.openclaw/audits/moses/audit_ledger.jsonl; that is consistent with a verification tool. However, the included commitment_verify.py source appears truncated near the end (an unfinished assignment to hashlib.sha2) which will likely produce a runtime error for the ghost command as shipped. model_swap_test.py references pattern_registry.py (for recording ghost patterns) that is not included. Also note the tool prints/stores extracted kernels and may write results and saved reports under ~/.openclaw, so inputs (or kernel excerpts) may be persisted in plaintext.
Install Mechanism
There is no install spec (instruction-only with bundled scripts); nothing is downloaded from the network or installed automatically. This is lower risk. The SKILL.md suggests 'clawhub install coverify' but the package contains only local scripts (the platform's install step is not present here).
Credentials
The skill declares no required environment variables, no credentials, and no config paths beyond per-user directories under the home (~/.openclaw/*). Those file accesses are proportional to an audit/ledger-style verification tool. No network endpoints, tokens, or secrets are requested.
Persistence & Privilege
The skill does create and read files under the user's home directory (audit ledger, model-swap results), which is expected for an audit tool. It does not request elevated privileges, does not set always:true, and does not modify other skills' configs. Autonomous invocation is allowed by default (platform behavior) but not combined with any broad credential access here.
Assessment
This skill appears internally consistent and self-contained: it performs local text analysis, requires no credentials, and writes outputs under ~/.openclaw. Before installing or running it: 1) review/fix the truncated code in scripts/commitment_verify.py (the file ends mid-assignment and will likely crash the ghost command); 2) be aware the tool prints and saves extracted kernel sentences and reports (these can contain sensitive text) to ~/.openclaw — do not run it on sensitive secrets unless you accept local persistence; 3) model_swap_test.py expects either a provided JSON extract or a file and suggests recording patterns in a pattern_registry which is not included — evaluate whether you need that registry or to add it; 4) test the scripts in a sandboxed environment to confirm behavior and output locations before integrating them into any governance automation. There are no remote endpoints or secret requests in the package.Like a lobster shell, security has layers — review code before you run it.
commitmentvk9722002efw2nwc90q91dveqzn82thesconservationvk9722002efw2nwc90q91dveqzn82thesfalsifiabilityvk9722002efw2nwc90q91dveqzn82thesjaccardvk9722002efw2nwc90q91dveqzn82theslatestvk97cr4tdfktjbb7dne549b1cbd82wv92mosesvk9722002efw2nwc90q91dveqzn82thesprovenancevk9722002efw2nwc90q91dveqzn82thessignalvk9722002efw2nwc90q91dveqzn82thesverificationvk9722002efw2nwc90q91dveqzn82thes
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚖ Clawdis