update-signature-verifier
Helps verify the cryptographic integrity of skill updates by checking whether each version is signed by the same key as the original install, detecting key changes, signature gaps, and unsigned updates that may indicate a compromised or transferred skill.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/andyxinweiminicloud/update-signature-verifierWhat This Skill Does
The update-signature-verifier is a critical security tool for OpenClaw users who rely on third-party skills. In modern software ecosystems, trust is often established once at the time of installation, leaving subsequent updates vulnerable to supply chain compromises. This skill addresses that oversight by continuously monitoring the cryptographic integrity of your installed agents. It maps the signature history of every skill version, ensuring that each update is signed by the same trusted key that performed the original installation. By tracking key continuity, identifying signature gaps, and flagging orphaned or suspicious keys, it protects you from malicious actors who might hijack an update channel to inject harmful code into a legitimate, established agent.
Installation
To add this security layer to your OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/andyxinweiminicloud/update-signature-verifier
Once installed, the verifier will begin indexing your current skill catalog and auditing their version history for cryptographic consistency.
Use Cases
- Supply Chain Auditing: Automatically verify that the latest version of a mission-critical financial automation skill hasn't been compromised by a publisher account takeover.
- Corporate Compliance: Ensure that all installed enterprise skills meet strict signature continuity requirements before they are permitted to execute.
- Update Transparency: Gain insights into how a skill publisher manages their signing keys, helping you decide whether to trust an updated version that arrives with a new, unannounced public key.
Example Prompts
- "Run a security audit on all my installed skills and list any that have experienced a cryptographic key change in their update history."
- "Check if the latest update for the 'data-scrubber' skill has a valid signature that matches the version I installed last month."
- "Show me a report of all skills in my ecosystem that have gaps in their signature history or contain unsigned version updates."
Tips & Limitations
- Proactive Rotation: If a developer legitimately rotates their signing key, the verifier will flag this. Always verify such key rotations against the developer's official channels (like GitHub or their website) before ignoring the warning.
- Initial Indexing: The first run may take time if you have many skills installed, as it needs to fetch and verify the historical metadata for every version.
- Scope: This skill monitors signature metadata; it does not replace a sandbox or behavioral analysis tools. It is best used as one component of a broader multi-layered defense strategy.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-andyxinweiminicloud-update-signature-verifier": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read
Related Skills
delta-disclosure-auditor
Helps verify that skill updates publish an auditable record of what changed — catching the gap between "the registry shows the new version" and "anyone can see what the new version changed relative to the old one." v1.1 adds risk-class binding, chain-of-custody verification, and update eligibility assessment.
capability-composition-analyzer
Helps identify dangerous capability combinations that emerge when agent skills are composed — catching the class of risk where no individual skill is harmful but their intersection creates an exfiltration or compromise path.
transparency-log-auditor
Helps verify that skill signing events are recorded in an independently auditable transparency log — catching the class of trust failures where a registry operator can silently rewrite history without detection.
behavioral-invariant-monitor
Helps verify that AI agent skills maintain consistent behavioral invariants across repeated executions — detecting the class of threat where a skill behaves safely during initial evaluation but shifts behavior based on execution count, environmental conditions, or delayed activation triggers. v1.3 adds performance fingerprinting (computational complexity drift detection), cryptographic audit trails (hash-chained behavior logs for immutable verification), and risk-proportional monitoring (sampling-based checks to reduce overhead).
skill-update-delta-monitor
Helps detect security-relevant changes in AI skills after installation. Tracks deltas between the audited version and current version, flagging updates that expand permissions, add new network endpoints, or alter behavior in ways that bypass install-time security checks.