Official Verified developer tools Safety 5/5

transparency-log-auditor

Helps verify that skill signing events are recorded in an independently auditable transparency log — catching the class of trust failures where a registry operator can silently rewrite history without detection.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/andyxinweiminicloud/transparency-log-auditor

Download Source Code (.zip)

What This Skill Does

The transparency-log-auditor is a critical security-focused utility designed for OpenClaw users who require verifiable proof of the integrity and provenance of their agent skills. In a standard ecosystem, you are forced to rely on the word of the registry operator regarding which skills are signed and when. This skill removes that requirement by providing independent auditing capabilities. It verifies the existence, immutability, and completeness of transparency logs associated with your skills. By ensuring that every signing event, key rotation, and revocation is recorded in an append-only, publicly auditable log, it protects you from "history rewriting" attacks where a registry could silently swap a secure, signed skill for a malicious version.

Installation

To add this auditor to your OpenClaw environment, execute the following command in your terminal: clawhub install openclaw/skills/skills/andyxinweiminicloud/transparency-log-auditor Ensure you have the necessary permissions to install new skills, and verify the source repository if you are running in a restricted or high-security production environment.

Use Cases

This skill is indispensable for enterprises and developers concerned with supply-chain security. Use it to:

Audit third-party skills: Before integrating a new skill, verify that its entire release history is recorded in an immutable log.
Verify key lifecycle: Ensure that author key rotations are properly logged and not performed in a hidden, non-verifiable manner.
Check for back-dated entries: Detect if a registry is attempting to inject older versions of a skill to re-introduce known vulnerabilities.
Cross-reference registries: If you mirror your skills across multiple providers, use this auditor to ensure both registries share a consistent view of the truth.

Example Prompts

"Audit the transparency log for the skill 'data-processor-v2' and report any missing event signatures."
"Verify the consistency of the signing history for openclaw/skills/example-agent across the primary and backup registries."
"Does the current version of this skill have a verifiable entry in the transparency log, or is it relying solely on the registry's self-reported metadata?"

Tips & Limitations

Transparency vs. Existence: This skill confirms what is logged. It cannot prove that the author's signing key wasn't stolen; it only proves that the signing event occurred as recorded in the ledger.
Network Dependence: The auditor requires active, reliable access to the registry's public log endpoint. It will fail or return inconclusive results if the log endpoint is down or firewalled.
Log Depth: Some older or legacy skills may not have historical logs enabled. If you see a warning about 'Log absence,' it does not necessarily mean the skill is malicious—it may simply lack the maturity of a modern, transparency-enabled release process.

Read Full Documentation on GitHub

Metadata

Author@andyxinweiminicloud

Stars4473

Updated2026-05-01

View Author Profile

AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill

Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-andyxinweiminicloud-transparency-log-auditor": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#security#audit#compliance#trust#transparency

Safety Score: 5/5

Flags: network-access

Related Skills

delta-disclosure-auditor

Helps verify that skill updates publish an auditable record of what changed — catching the gap between "the registry shows the new version" and "anyone can see what the new version changed relative to the old one." v1.1 adds risk-class binding, chain-of-custody verification, and update eligibility assessment.

andyxinweiminicloud 4473

capability-composition-analyzer

Helps identify dangerous capability combinations that emerge when agent skills are composed — catching the class of risk where no individual skill is harmful but their intersection creates an exfiltration or compromise path.

andyxinweiminicloud 4473

behavioral-invariant-monitor

Helps verify that AI agent skills maintain consistent behavioral invariants across repeated executions — detecting the class of threat where a skill behaves safely during initial evaluation but shifts behavior based on execution count, environmental conditions, or delayed activation triggers. v1.3 adds performance fingerprinting (computational complexity drift detection), cryptographic audit trails (hash-chained behavior logs for immutable verification), and risk-proportional monitoring (sampling-based checks to reduce overhead).

andyxinweiminicloud 4473

capability-graph-mapper

Helps map the composite permission surface across AI agent skill dependency chains. Traces what each skill can do individually, then computes what they can do together — revealing emergent capabilities nobody explicitly approved.

andyxinweiminicloud 4473

skill-update-delta-monitor

Helps detect security-relevant changes in AI skills after installation. Tracks deltas between the audited version and current version, flagging updates that expand permissions, add new network endpoints, or alter behavior in ways that bypass install-time security checks.

andyxinweiminicloud 4473