陌讯skills聚合平台

skillsign

📁 felmonon/skillsign 📅 2 days ago
2
总安装量
2
周安装量
#65889
全站排名
安装命令
npx skills add https://github.com/felmonon/skillsign --skill skillsign

Agent 安装分布

opencode 2
antigravity 2
claude-code 2
github-copilot 2
codex 2
droid 2

Skill 文档

skillsign

Cryptographic signing and verification for agent skill folders using ed25519 keys. Protects your skills from tampering and lets you verify who wrote them.

Install

pip3 install cryptography

That’s the only dependency. The tool is a single Python file.

Commands

Generate a signing identity

python3 skillsign.py keygen
python3 skillsign.py keygen --name myagent

Creates an ed25519 keypair in ~/.skillsign/keys/. Share the .pub file. Keep the .pem file secret.

Sign a skill folder

python3 skillsign.py sign ./my-skill/
python3 skillsign.py sign ./my-skill/ --key ~/.skillsign/keys/myagent.pem

Hashes every file (SHA-256), builds a manifest, signs it with your private key. Creates .skillsig/ inside the folder.

Verify a skill folder

python3 skillsign.py verify ./my-skill/

Detects modified, added, or removed files. Verifies the cryptographic signature. Checks if the signer has been revoked. Shows whether the signer is trusted.

Inspect signature metadata

python3 skillsign.py inspect ./my-skill/

Shows signer fingerprint, timestamp, file count, and all covered files with their hashes.

Trust an author

python3 skillsign.py trust ./their-key.pub

Adds a public key to your local trusted authors list.

List trusted authors

python3 skillsign.py trusted

View provenance chain (isnād)

python3 skillsign.py chain ./my-skill/

Shows the full signing history — every author who signed the folder, in order.

Revoke a compromised key

python3 skillsign.py revoke --key ~/.skillsign/keys/myagent.pem
python3 skillsign.py revoke --key ~/.skillsign/keys/myagent.pem --reason "Key leaked"

Creates a self-signed revocation statement. Automatically removes the key from trusted authors. After revocation:

  • Signatures made after revocation → rejected by verify
  • Signatures made before revocation → pass with a warning

List revoked keys

python3 skillsign.py revoked

When to Use

  • After installing a new skill — verify it hasn’t been tampered with
  • Before running untrusted code — check who signed it and whether you trust them
  • Periodically — re-verify your skill folders to detect unauthorized modifications
  • When publishing skills — sign your work so others can verify it came from you
  • When a key is compromised — revoke it immediately to prevent abuse
  • When auditing your agent’s integrity — run verify on all your skill folders

Example Workflow

# First time: create your identity
python3 skillsign.py keygen --name parker

# Sign your skills
python3 skillsign.py sign ~/.openclaw/skills/my-skill/

# Later: check nothing changed
python3 skillsign.py verify ~/.openclaw/skills/my-skill/
# ✅ Verified — 14 files intact.
#    Signer: ca3458e92b73e432 [TRUSTED]

# Someone tampers with a file:
python3 skillsign.py verify ~/.openclaw/skills/my-skill/
# ❌ TAMPERED — Files changed since signing:
#    ~ main.py (modified)

# Trust another agent's key
python3 skillsign.py trust ./other-agent.pub

# View full provenance
python3 skillsign.py chain ~/.openclaw/skills/my-skill/

# Key compromised? Revoke it:
python3 skillsign.py revoke --key ~/.skillsign/keys/parker.pem --reason "Key leaked"
# 🔴 Revoked: ca3458e92b73e432
#    Signatures made after this timestamp will fail verification.
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。