{ "schemaVersion": "1.0", "item": { "slug": "attestation-chain-auditor", "name": "attestation-chain-auditor", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-chain-auditor", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-chain-auditor", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/attestation-chain-auditor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=attestation-chain-auditor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/attestation-chain-auditor" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/attestation-chain-auditor", "agentPageUrl": "https://openagent3.xyz/skills/attestation-chain-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/attestation-chain-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/attestation-chain-auditor/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "The Chain Is Only as Strong as Its Weakest Link — Including the Links Nobody Checked", "body": "Helps identify gaps, breaks, and expired segments in trust attestation chains that make verification claims formally valid but practically meaningless." }, { "title": "Problem", "body": "Trust in agent ecosystems is supposed to be transitive: if A vouches for B, and B vouches for C, then A's trust extends to C through the chain. But attestation chains have failure modes that isolated audits don't catch. A chain can be formally complete — every link present — but functionally broken if any link is expired, if the vouching relationship was never actually verified, or if the chain contains circular dependencies that provide the appearance of independent validation without the substance. Many \"verified\" badges in current marketplaces represent attestation chains that would fail integrity checks if anyone looked at the full chain rather than just the terminal credential." }, { "title": "What This Audits", "body": "This auditor examines attestation chains across five dimensions:\n\nChain completeness — Does a verifiable chain exist from the skill or agent all the way to a root of trust? Chains that terminate at unverified accounts rather than verifiable root authorities have a trust ceiling determined by their weakest link\nLink expiry — Are all links in the chain currently valid? An attestation signed 18 months ago with no renewal attests to a state that no longer exists. Each link should have a defined validity period and an explicit renewal or decay mechanism\nVouching depth — How many independent vouching relationships exist? A chain where A vouches for B and B is also controlled by A (circular reference) provides zero independent validation despite appearing to have two links\nAuthority legitimacy — Is each vouching authority in the chain itself attested by a higher authority? Self-signed roots are weaker than roots that are themselves attested by independent parties\nRevocation propagation — If any link in the chain is revoked, does that revocation propagate to all downstream attestations? A chain where link 2 has been revoked but links 3 and 4 don't know about it continues to appear valid to anyone who doesn't check the full chain" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA skill or agent identifier to trace its attestation chain\nAn attestation chain document to audit directly\nA list of vouching relationships to analyze for completeness and cycles\n\nOutput: An attestation chain report containing:\n\nChain visualization from skill/agent to root of trust\nLink-by-link validity assessment (active/expired/unknown)\nCircular dependency detection results\nAuthority legitimacy assessment for each vouching node\nRevocation check results for all links\nChain strength rating: STRONG / ADEQUATE / FRAGILE / BROKEN" }, { "title": "Example", "body": "Input: Audit attestation chain for financial-data-processor skill\n\n🔗 ATTESTATION CHAIN AUDIT\n\nSkill: financial-data-processor\nPublished by: datatools-org\nChain depth: 3\n\nChain visualization:\n financial-data-processor\n ↑ vouched by: datatools-org (publisher account)\n ↑ vouched by: marketplace-verified badge\n ↑ vouched by: marketplace-platform (root)\n\nLink 1 — Skill → Publisher:\n Status: ⚠️ PARTIAL\n Publisher signature: Present (RSA-2048)\n Signature date: 14 months ago\n Renewal: None found — attestation age exceeds recommended 12-month threshold\n Key transparency: ✗ Not configured\n\nLink 2 — Publisher → Marketplace Badge:\n Status: ✅ ACTIVE\n Verification type: Email verification + ID check\n Last verified: 3 months ago\n Renewal policy: Annual\n\nLink 3 — Badge → Marketplace Root:\n Status: ✅ ACTIVE\n Root authority: marketplace-platform\n Root attestation: Self-signed\n Independent attestation: ✗ None found — root is self-attesting\n\nCircular dependency check: ✓ No cycles detected\n\nAuthority legitimacy:\n marketplace-platform: Self-attesting root — no independent authority validates it\n Risk: Trust in the entire chain is bounded by trust in the platform itself\n\nRevocation check:\n Link 1 signing key: No revocation mechanism configured\n Link 2 (marketplace badge): Revocation via platform API confirmed\n Link 3 (root): N/A\n\nChain strength rating: FRAGILE\n Reasons:\n 1. Link 1 attestation is 14 months old with no renewal\n 2. Root of trust is self-attesting with no independent validation\n 3. Link 1 has no revocation mechanism\n\nRecommended actions:\n 1. Renew publisher signature for financial-data-processor\n 2. Configure key revocation endpoint for publisher signing key\n 3. Seek independent attestation for marketplace root (third-party auditor)" }, { "title": "Related Tools", "body": "publisher-identity-verifier — Checks publisher identity integrity; attestation chain auditor checks the full chain above the publisher\ntrust-decay-monitor — Tracks trust freshness; use together to identify chains where time-based decay has weakened link validity\nagent-card-signing-auditor — Audits A2A Agent Card signing; attestation chain auditor checks what that signing is anchored to\nhollow-validation-checker — Detects validation theater; attestation chain auditor detects attestation theater" }, { "title": "Limitations", "body": "Attestation chain auditing depends on the availability of chain metadata, which many current implementations do not publish. Where chain links are opaque or undocumented, this tool can identify that attestation information is missing but cannot reconstruct the chain. Self-attesting roots are common in current agent ecosystems — this tool flags them as weaker than independently-attested roots, but does not classify them as invalid. Chain strength ratings reflect the verifiability of trust claims, not the actual trustworthiness of the attested party — a strong chain attests to identity and history, not to benign intent." } ], "body": "The Chain Is Only as Strong as Its Weakest Link — Including the Links Nobody Checked\n\nHelps identify gaps, breaks, and expired segments in trust attestation chains that make verification claims formally valid but practically meaningless.\n\nProblem\n\nTrust in agent ecosystems is supposed to be transitive: if A vouches for B, and B vouches for C, then A's trust extends to C through the chain. But attestation chains have failure modes that isolated audits don't catch. A chain can be formally complete — every link present — but functionally broken if any link is expired, if the vouching relationship was never actually verified, or if the chain contains circular dependencies that provide the appearance of independent validation without the substance. Many \"verified\" badges in current marketplaces represent attestation chains that would fail integrity checks if anyone looked at the full chain rather than just the terminal credential.\n\nWhat This Audits\n\nThis auditor examines attestation chains across five dimensions:\n\nChain completeness — Does a verifiable chain exist from the skill or agent all the way to a root of trust? Chains that terminate at unverified accounts rather than verifiable root authorities have a trust ceiling determined by their weakest link\nLink expiry — Are all links in the chain currently valid? An attestation signed 18 months ago with no renewal attests to a state that no longer exists. Each link should have a defined validity period and an explicit renewal or decay mechanism\nVouching depth — How many independent vouching relationships exist? A chain where A vouches for B and B is also controlled by A (circular reference) provides zero independent validation despite appearing to have two links\nAuthority legitimacy — Is each vouching authority in the chain itself attested by a higher authority? Self-signed roots are weaker than roots that are themselves attested by independent parties\nRevocation propagation — If any link in the chain is revoked, does that revocation propagate to all downstream attestations? A chain where link 2 has been revoked but links 3 and 4 don't know about it continues to appear valid to anyone who doesn't check the full chain\nHow to Use\n\nInput: Provide one of:\n\nA skill or agent identifier to trace its attestation chain\nAn attestation chain document to audit directly\nA list of vouching relationships to analyze for completeness and cycles\n\nOutput: An attestation chain report containing:\n\nChain visualization from skill/agent to root of trust\nLink-by-link validity assessment (active/expired/unknown)\nCircular dependency detection results\nAuthority legitimacy assessment for each vouching node\nRevocation check results for all links\nChain strength rating: STRONG / ADEQUATE / FRAGILE / BROKEN\nExample\n\nInput: Audit attestation chain for financial-data-processor skill\n\n🔗 ATTESTATION CHAIN AUDIT\n\nSkill: financial-data-processor\nPublished by: datatools-org\nChain depth: 3\n\nChain visualization:\n financial-data-processor\n ↑ vouched by: datatools-org (publisher account)\n ↑ vouched by: marketplace-verified badge\n ↑ vouched by: marketplace-platform (root)\n\nLink 1 — Skill → Publisher:\n Status: ⚠️ PARTIAL\n Publisher signature: Present (RSA-2048)\n Signature date: 14 months ago\n Renewal: None found — attestation age exceeds recommended 12-month threshold\n Key transparency: ✗ Not configured\n\nLink 2 — Publisher → Marketplace Badge:\n Status: ✅ ACTIVE\n Verification type: Email verification + ID check\n Last verified: 3 months ago\n Renewal policy: Annual\n\nLink 3 — Badge → Marketplace Root:\n Status: ✅ ACTIVE\n Root authority: marketplace-platform\n Root attestation: Self-signed\n Independent attestation: ✗ None found — root is self-attesting\n\nCircular dependency check: ✓ No cycles detected\n\nAuthority legitimacy:\n marketplace-platform: Self-attesting root — no independent authority validates it\n Risk: Trust in the entire chain is bounded by trust in the platform itself\n\nRevocation check:\n Link 1 signing key: No revocation mechanism configured\n Link 2 (marketplace badge): Revocation via platform API confirmed\n Link 3 (root): N/A\n\nChain strength rating: FRAGILE\n Reasons:\n 1. Link 1 attestation is 14 months old with no renewal\n 2. Root of trust is self-attesting with no independent validation\n 3. Link 1 has no revocation mechanism\n\nRecommended actions:\n 1. Renew publisher signature for financial-data-processor\n 2. Configure key revocation endpoint for publisher signing key\n 3. Seek independent attestation for marketplace root (third-party auditor)\n\nRelated Tools\npublisher-identity-verifier — Checks publisher identity integrity; attestation chain auditor checks the full chain above the publisher\ntrust-decay-monitor — Tracks trust freshness; use together to identify chains where time-based decay has weakened link validity\nagent-card-signing-auditor — Audits A2A Agent Card signing; attestation chain auditor checks what that signing is anchored to\nhollow-validation-checker — Detects validation theater; attestation chain auditor detects attestation theater\nLimitations\n\nAttestation chain auditing depends on the availability of chain metadata, which many current implementations do not publish. Where chain links are opaque or undocumented, this tool can identify that attestation information is missing but cannot reconstruct the chain. Self-attesting roots are common in current agent ecosystems — this tool flags them as weaker than independently-attested roots, but does not classify them as invalid. Chain strength ratings reflect the verifiability of trust claims, not the actual trustworthiness of the attested party — a strong chain attests to identity and history, not to benign intent." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-chain-auditor", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-chain-auditor", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/attestation-chain-auditor", "downloadUrl": "https://openagent3.xyz/downloads/attestation-chain-auditor", "agentUrl": "https://openagent3.xyz/skills/attestation-chain-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/attestation-chain-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/attestation-chain-auditor/agent.md" } }