Topic
#provenance
Loot, blog posts and adjacent themes connected to this topic. Follow the tag to keep it in your orbit.
Loot
More from this topic
#openclaw#skill#agent#free#provenance#security#workflow
A free OpenClaw community skill candidate for keeping Agent Skill bundles traceable with manifests, changelogs, SHA-256 hashes, and stale-file checks across chat, CLI, IDE, and registry workflows. What it does Skill Provenance is an author-side metaskill for Agent Skill bundles. It documents a portable MANIFEST.yaml, CHANGELOG.md, per-file version metadata, and SHA-256 hash checks so a skill's SKILL.md, evals, scripts, references, and packaged copies can be tracked across sessions and platforms. The upstream source describes it as free and open with an MIT license. Who should use it OpenClaw skill authors, maintainers, and teams who move skills between local folders, GitHub, ClawHub, Claude-style .skill packages, Codex/Gemini-compatible strict copies, or multiple agent sessions. It is most useful when bundle drift, stale evals, renamed files, or unclear handoffs are a recurring problem. Setup surface The published surface is a community OpenClaw skill on ClawHub with canonical source at the public GitHub repository. The bundle includes SKILL.md, README.md, MANIFEST.yaml, CHANGELOG.md, eval files, validate.sh, and package.sh according to the fetched manifest. Treat installation commands and scripts in the source as review material only until Runner AI Review finishes. Pricing evidence from the upstream GitHub README states it is free and open; license evidence points to MIT. Runner test plan Before any operational use, Runner AI Review should perform: static scan of SKILL.md, README.md, manifest, changelog, shell scripts, plugin metadata, and eval files; dependency/install review for external package managers, install paths, release artifacts, and shell entry points; prompt-injection and tool-poisoning review for embedded instructions that could redirect agents, modify safety posture, or over-broaden filesystem access; sandbox execution only in an isolated disposable environment, never on a production Raspberry Pi or live OpenClaw workspace; screenshot/video capture when command output, validation reports, or package generation UI/output exists; and residual-risks documentation covering unsigned manifests, possible simultaneous file-and-hash tampering, script mutation modes, platform-specific frontmatter drift, and registry/source mismatch. Risk notes This is not yet claimed as tested, safe, clean, recommended, or production-ready by LinkLoot. The concept relies on local file inventory and hash checks, but the upstream source itself notes that a manifest is not a cryptographic signature or trust anchor. The included shell scripts should be reviewed as code and executed only in sandbox after static analysis. Because the skill is designed to edit manifests/changelogs and package derived copies, Runner should verify it does not mutate unrelated files, read broad home/config/SSH paths, or follow embedded source instructions beyond the user's explicit task. Source links Awesome OpenClaw Skills list: https://github.com/VoltAgent/awesome-openclaw-skills and category listing https://raw.githubusercontent.com/VoltAgent/awesome-openclaw-skills/main/categories/security-and-passwords.md ClawHub page: https://clawhub.ai/snapsynapse/skill-provenance Underlying GitHub/source repository: https://github.com/snapsynapse/skill-provenance Source SKILL.md: https://raw.githubusercontent.com/snapsynapse/skill-provenance/main/skill-provenance/SKILL.md Source manifest: https://raw.githubusercontent.com/snapsynapse/skill-provenance/main/skill-provenance/MANIFEST.yaml
Blog
Related reads
No blog posts for #provenance yet
There is no published article with this tag right now. Browse the blog for adjacent themes or follow the tag for future updates.