sev-attestation
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: sev-attestation Version: 1.0.2 The skill bundle is designed to perform AMD SEV-SNP remote attestation, which inherently requires privileged access to `/dev/sev-guest` and network communication with AMD's Key Distribution Service (`kdsintf.amd.com`). All scripts and documentation (including `SKILL.md` and `README.md`) clearly state these requirements and their purpose. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation to hide intent, or prompt injection attempts against the agent. The use of `sudo` and interaction with privileged kernel devices are necessary for the stated functionality and are transparently documented in `SKILL.md` and `references/error-codes.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could treat an attestation PASS as sufficient to release secrets to a VM even if the VM image/configuration has not been confirmed as the expected one.
This is a high-assurance claim. The included automated workflow verifies SEV-SNP availability, certificate chain, and report signature, but does not require a known-good MEASUREMENT comparison, nonce/REPORT_DATA comparison, policy.DEBUG check, or TCB acceptance policy before reporting success.
Use when ... verifying VM integrity before trusting it with secrets
Treat the script PASS as partial attestation. Before trusting secrets, require explicit checks for expected measurement, challenge nonce/report data, debug policy, and acceptable TCB levels, and update the workflow output to make those limits clear.
Running the workflow may require root privileges or membership in a privileged SEV device group on the VM.
The skill discloses that privileged device access is needed to request SEV-SNP reports. This is expected for the stated purpose, but it crosses a local privilege boundary.
- **Root access**: Required to access `/dev/sev-guest`
Run only on the intended VM, prefer the least-privileged sev group where available, and avoid granting broader root access than needed.
AMD KDS and network logs may see report-derived hardware identity data when certificates are fetched.
The script extracts the chip ID and TCB values from the attestation report and sends them to AMD KDS to fetch the chip-specific VCEK certificate. This is expected for SEV-SNP attestation, but it is an external network data flow.
CHIP_ID=$(xxd -p -s 416 -l 64 "$REPORT_FILE" | tr -d '\n') ... VCEK_URL="$AMD_KDS_URL/vcek/v1/Milan/${CHIP_ID}?blSPL=${BOOT_LOADER}&teeSPL=${TEE}&snpSPL=${SNP}&ucodeSPL=${MICROCODE}" ... curl -sf "$VCEK_URL"Use this workflow only when contacting AMD KDS is acceptable, and avoid sharing attestation output or logs more broadly than necessary.
Users may install and run third-party code from the Rust package ecosystem as part of setup.
The skill relies on an external Rust CLI installed without a pinned version in the artifact. This is normal setup for the workflow but leaves dependency provenance and version selection to the user.
Install snpguest: ```bash cargo install snpguest ```
Install snpguest from a trusted source, consider pinning a known-good version, and review dependency installation steps before running privileged attestation commands.