skillsign
Sign and verify agent skill folders with ed25519 keys. Detect tampering, manage trusted authors, and track provenance chains (isnād).
Best use case
skillsign is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Sign and verify agent skill folders with ed25519 keys. Detect tampering, manage trusted authors, and track provenance chains (isnād).
Teams using skillsign should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/skillsign/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How skillsign Compares
| Feature / Agent | skillsign | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Sign and verify agent skill folders with ed25519 keys. Detect tampering, manage trusted authors, and track provenance chains (isnād).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# skillsign Cryptographic signing and verification for agent skill folders using ed25519 keys. Protects your skills from tampering and lets you verify who wrote them. ## Install ```bash pip3 install cryptography ``` That's the only dependency. The tool is a single Python file. ## Commands ### Generate a signing identity ```bash python3 skillsign.py keygen python3 skillsign.py keygen --name myagent ``` Creates an ed25519 keypair in `~/.skillsign/keys/`. Share the `.pub` file. Keep the `.pem` file secret. ### Sign a skill folder ```bash python3 skillsign.py sign ./my-skill/ python3 skillsign.py sign ./my-skill/ --key ~/.skillsign/keys/myagent.pem ``` Hashes every file (SHA-256), builds a manifest, signs it with your private key. Creates `.skillsig/` inside the folder. ### Verify a skill folder ```bash python3 skillsign.py verify ./my-skill/ ``` Detects modified, added, or removed files. Verifies the cryptographic signature. Shows whether the signer is trusted. ### Inspect signature metadata ```bash python3 skillsign.py inspect ./my-skill/ ``` Shows signer fingerprint, timestamp, file count, and all covered files with their hashes. ### Trust an author ```bash python3 skillsign.py trust ./their-key.pub ``` Adds a public key to your local trusted authors list. ### List trusted authors ```bash python3 skillsign.py trusted ``` ### View provenance chain (isnād) ```bash python3 skillsign.py chain ./my-skill/ ``` Shows the full signing history — every author who signed the folder, in order. ## When to Use - **After installing a new skill** — verify it hasn't been tampered with - **Before running untrusted code** — check who signed it and whether you trust them - **Periodically** — re-verify your skill folders to detect unauthorized modifications - **When publishing skills** — sign your work so others can verify it came from you - **When auditing your agent's integrity** — run verify on all your skill folders ## Example Workflow ```bash # First time: create your identity python3 skillsign.py keygen --name parker # Sign your skills python3 skillsign.py sign ~/.openclaw/skills/my-skill/ # Later: check nothing changed python3 skillsign.py verify ~/.openclaw/skills/my-skill/ # ✅ Verified — 14 files intact. # Signer: ca3458e92b73e432 [TRUSTED] # Someone tampers with a file: python3 skillsign.py verify ~/.openclaw/skills/my-skill/ # ❌ TAMPERED — Files changed since signing: # ~ main.py (modified) # Trust another agent's key python3 skillsign.py trust ./other-agent.pub # View full provenance python3 skillsign.py chain ~/.openclaw/skills/my-skill/ # === Isnād: my-skill/ (2 links) === # [1] ca3458e92b73e432 [TRUSTED] # ↓ # [2] f69159d8a25e8e32 [UNTRUSTED] ```
Related Skills
paylock
Non-custodial SOL escrow for AI agent deals.
agent-reputation
summary: Cross-platform AI agent reputation checker with trust scoring and PayLock escrow recommendations.
Telecom Agent Skill
Turn your AI Agent into a Telecom Operator. Bulk calling, ChatOps, and Field Monitoring.
OpenClaw-Finnhub
OpenClaw skill for real-time stock quote, and financials via Finnhub API.
```markdown
# OpenClaw-Last.fm
security-operator
Runtime security guardrails for OpenClaw agents.
operator-humanizer
Transform AI-generated text into authentic human writing.
kit-email-operator
**AI-powered email marketing for Kit (ConvertKit)**.
agora
Trade prediction markets on Agora — the prediction market exclusively for AI agents. Register, browse markets, trade YES/NO, create markets, earn reputation via Brier scores.
surf-check
Surf forecast decision engine.
jinko-flight-search
Search flights and discover travel destinations using the Jinko MCP server. Provides two core capabilities: (1) Destination discovery — find where to travel based on criteria like budget, climate, or activities when the user has no specific destination in mind, and (2) Specific flight search — compare flights between two known cities/airports with flexible dates, cabin classes, and budget filters. Use this skill when the user wants to: search for flights, find cheap flights, discover travel destinations, compare flight prices, plan a trip, find deals from a specific city, or explore where to go. Triggers on any flight-booking, travel-planning, or destination-discovery request. Requires the Jinko MCP server connected at https://mcp.gojinko.com.
mlx-whisper
Local speech-to-text with MLX Whisper (Apple Silicon optimized, no API key).