{ "schemaVersion": "1.0", "item": { "slug": "clawkey", "name": "Clawkey", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/oyyblin/clawkey", "canonicalUrl": "https://clawhub.ai/oyyblin/clawkey", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/clawkey", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawkey", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "HEARTBEAT.md", "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/clawkey" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/clawkey", "agentPageUrl": "https://openagent3.xyz/skills/clawkey/agent", "manifestUrl": "https://openagent3.xyz/skills/clawkey/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawkey/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "ClawKey — Verifiable Human Ownership", "body": "Register your agent under your human owner powered by VeryAI palm verification. The agent starts registration with a signed challenge showing it controls its key; the human opens a URL and completes VeryAI's palm verification. Once the human finishes, the agent is registered under their ownership and can be verified by third parties.\n\nCRITICAL: Never open browsers\nDo not use open, xdg-open, start, or any command that opens a browser. Always output the registration URL as a text or markdown link for the user to click.\n\nWRONG: open \"https://api.very.org/oauth2/...\"\nCORRECT: \"Open this link to complete verification: https://api.very.org/oauth2/...\"" }, { "title": "Key files", "body": "FilePurposeSKILL.mdhttps://clawkey.ai/skill.md — registration flow, challenge generation, verification, APIHEARTBEAT.mdhttps://clawkey.ai/heartbeat.md — periodic checklist: registration status, etcIdentity~/.openclaw/identity/device.json — OpenClaw deviceId and keys (do not send private key)" }, { "title": "Security", "body": "Private key: Used to sign the challenge. Never send the private key to ClawKey or any server; only send publicKey, message, and signature.\nRegistration URL: Single-use and short-lived. Give it only to the human owner who will complete VeryAI palm verification.\ndeviceId: Use a stable identifier (e.g. from your identity store or hash of public key). It ties the agent to the registration and is used for lookup and verification." }, { "title": "Generating the AgentChallenge", "body": "The AgentChallenge is a signed payload that shows you control an Ed25519 key. It has the shape used by standard OpenClaw identity flows: deviceId, publicKey, message, signature, timestamp. Generate it once and send it to /agent/register/init or /agent/verify/signature." }, { "title": "Where identity comes from (OpenClaw)", "body": "If you run on OpenClaw, device identity is stored at:\n\nPath: ~/.openclaw/identity/device.json\n\nThat file contains (never send privateKeyPem to any server):\n\nFieldUsedeviceIdUse as deviceId in the challenge. Stable id for this agent/device.publicKeyPemUse to derive publicKey (see below).privateKeyPemUse only locally to sign the message. Never include in API requests.\n\nIf you don’t use OpenClaw, use your own identity store; ensure you have a stable deviceId, an Ed25519 key pair, and that you sign the exact string you send as message." }, { "title": "Build the challenge (step-by-step)", "body": "Choose the message to sign\nFor registration, use a one-time challenge to avoid replay, e.g.:\n\nclawkey-register-\nExample: clawkey-register-1738500000000\nFor verify/signature, the message is whatever you are proving (e.g. a nonce from a third party).\n\n\n\nSign the message with your Ed25519 private key. The signature must be over the exact UTF-8 bytes of message (no extra prefix/suffix).\n\n\nEncode for the API:\n\npublicKey: Ed25519 public key in SPKI DER form, then base64 (no PEM wrapper).\nsignature: Raw Ed25519 signature bytes, base64.\ntimestamp: Unix time in milliseconds when the challenge was created (e.g. Date.now()).\n\n\n\nJSON body (AgentChallenge):\n\ndeviceId — from your identity (e.g. device.json)\npublicKey — base64 DER SPKI\nmessage — exact string that was signed\nsignature — base64 signature\ntimestamp — number (ms)" }, { "title": "Example: Node.js", "body": "const crypto = require(\"crypto\");\nconst fs = require(\"fs\");\n\nconst identityPath = `${process.env.HOME}/.openclaw/identity/device.json`;\nconst identity = JSON.parse(fs.readFileSync(identityPath, \"utf8\"));\n\nconst message = `clawkey-register-${Date.now()}`;\nconst privateKey = crypto.createPrivateKey(identity.privateKeyPem);\nconst signature = crypto.sign(null, Buffer.from(message, \"utf8\"), privateKey);\n\nconst publicKeyDer = crypto\n .createPublicKey(identity.publicKeyPem)\n .export({ type: \"spki\", format: \"der\" });\n\nconst challenge = {\n deviceId: identity.deviceId,\n publicKey: publicKeyDer.toString(\"base64\"),\n message,\n signature: signature.toString(\"base64\"),\n timestamp: Date.now(),\n};\n// POST challenge to https://api.clawkey.ai/v1/agent/register/init" }, { "title": "Using a script", "body": "If you have a script that already produces an AgentChallenge (e.g. signs a message and outputs JSON with deviceId, publicKey, message, signature, timestamp), you can reuse it for ClawKey:\n\nGenerate a challenge string, e.g. clawkey-register-$(date +%s)000 (seconds + \"000\" for ms) or use your script’s convention.\nRun the script to sign that message and get the challenge JSON.\nPOST that JSON to https://api.clawkey.ai/v1/agent/register/init.\n\nSame challenge format works for POST /agent/verify/signature when verifying a signature remotely." }, { "title": "1. Start registration (agent-initiated)", "body": "Build an AgentChallenge as above, then send it to ClawKey to create a session and get a registration URL.\n\ncurl -X POST https://api.clawkey.ai/v1/agent/register/init \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"deviceId\": \"my-agent-device-id\",\n \"publicKey\": \"\",\n \"message\": \"clawkey-register-1738500000000\",\n \"signature\": \"\",\n \"timestamp\": 1738500000000\n }'\n\nResponse (201):\n\nsessionId — use to poll status\nregistrationUrl — output this as a link for the human; do not open it in a browser\nexpiresAt — session expiry (ISO 8601)\n\nIf the agent is already registered (deviceId exists), the API returns 409 Conflict." }, { "title": "2. Human completes verification", "body": "Tell the human owner to open the registrationUrl in their browser. They will go through VeryAI's palm verification via OAuth. When they finish, the agent is registered under their ownership." }, { "title": "3. Poll registration status", "body": "Poll until the human has completed or the session has expired:\n\ncurl \"https://api.clawkey.ai/v1/agent/register/SESSION_ID/status\"\n\nResponse: status is one of pending | completed | expired | failed. When status is completed, the response includes deviceId and registration (e.g. publicKey, registeredAt)." }, { "title": "4. Verify signatures or look up an agent", "body": "Verify a signature — check that a message was signed by the given key and whether that agent is registered under a verified human:\n\ncurl -X POST https://api.clawkey.ai/v1/agent/verify/signature \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"deviceId\": \"...\",\n \"publicKey\": \"...\",\n \"message\": \"...\",\n \"signature\": \"...\",\n \"timestamp\": 1738500000000\n }'\n\nResponse: verified (signature valid), registered (agent under verified human).\n\nLook up an agent by device id — get registration and verification status:\n\ncurl \"https://api.clawkey.ai/v1/agent/verify/device/DEVICE_ID\"\n\nResponse: registered, verified, and optionally registeredAt." }, { "title": "API reference", "body": "Base URL: https://api.clawkey.ai/v1\nLocal: http://localhost:3000/v1" }, { "title": "Endpoints", "body": "MethodEndpointAuthDescriptionPOST/agent/register/initNoneStart registration session; returns sessionId, registrationUrl, expiresAt.GET/agent/register/{sessionId}/statusNonePoll registration status: pending / completed / expired / failed.POST/agent/verify/signatureNoneVerify a signature and whether the agent is registered under a verified human.GET/agent/verify/device/{deviceId}NoneGet agent registration and verification status by device id." }, { "title": "Request/response schemas", "body": "AgentChallenge (used in register/init and verify/signature):\n\nFieldTypeRequiredDescriptiondeviceIdstringyesKey/device id (e.g. public key hash or app id).publicKeystringyesEd25519 public key, base64 DER SPKI.messagestringyesExact message that was signed (e.g. challenge or nonce).signaturestringyesEd25519 signature over message, base64.timestampint64yesUnix timestamp (ms) when the challenge was created.\n\nRegister init response (201):\n\n{\n \"sessionId\": \"uuid\",\n \"registrationUrl\": \"https://clawkey.ai/register/...\",\n \"expiresAt\": \"2026-02-02T12:00:00Z\"\n}\n\nRegister status response (200):\n\n{\n \"status\": \"completed\",\n \"deviceId\": \"my-agent-device-id\",\n \"registration\": {\n \"publicKey\": \"...\",\n \"registeredAt\": \"2026-02-02T12:00:00Z\"\n }\n}\n\nVerify signature response (200):\n\n{\n \"verified\": true,\n \"registered\": true\n}\n\nDevice status response (200):\n\n{\n \"registered\": true,\n \"verified\": true,\n \"registeredAt\": \"2026-02-02T12:00:00Z\"\n}\n\nError (4xx/5xx):\n\n{\n \"error\": \"Human-readable message\",\n \"code\": \"optional_code\",\n \"details\": {}\n}" }, { "title": "Error codes", "body": "CodeMeaning400Bad request (invalid or missing fields).404Session or device not found.409Agent already registered (device_id already exists).500Server error." }, { "title": "What this proves", "body": "After registration and VeryAI verification:\n\nHuman ownership — The agent is bound to a human who passed palm verification.\nKey binding — Ed25519 signatures prove the agent controls the key; ClawKey ties that key to the verified human.\nPublic verification — Third parties can call /agent/verify/signature or /agent/verify/device/{deviceId} to confirm an agent is registered and verified." }, { "title": "When to use this skill", "body": "Registering an OpenClaw (or other) agent under a human owner.\nProving to a third party that an agent is owned by a verified human (e.g. before granting access or privileges).\nChecking whether a given key or device is registered and verified." }, { "title": "Need help?", "body": "API base: https://api.clawkey.ai/v1\nHomepage: https://clawkey.ai" } ], "body": "ClawKey — Verifiable Human Ownership\n\nRegister your agent under your human owner powered by VeryAI palm verification. The agent starts registration with a signed challenge showing it controls its key; the human opens a URL and completes VeryAI's palm verification. Once the human finishes, the agent is registered under their ownership and can be verified by third parties.\n\nCRITICAL: Never open browsers\n\nDo not use open, xdg-open, start, or any command that opens a browser. Always output the registration URL as a text or markdown link for the user to click.\n\nWRONG: open \"https://api.very.org/oauth2/...\"\nCORRECT: \"Open this link to complete verification: https://api.very.org/oauth2/...\"\nKey files\nFile\tPurpose\nSKILL.md\thttps://clawkey.ai/skill.md — registration flow, challenge generation, verification, API\nHEARTBEAT.md\thttps://clawkey.ai/heartbeat.md — periodic checklist: registration status, etc\nIdentity\t~/.openclaw/identity/device.json — OpenClaw deviceId and keys (do not send private key)\nSecurity\nPrivate key: Used to sign the challenge. Never send the private key to ClawKey or any server; only send publicKey, message, and signature.\nRegistration URL: Single-use and short-lived. Give it only to the human owner who will complete VeryAI palm verification.\ndeviceId: Use a stable identifier (e.g. from your identity store or hash of public key). It ties the agent to the registration and is used for lookup and verification.\nGenerating the AgentChallenge\n\nThe AgentChallenge is a signed payload that shows you control an Ed25519 key. It has the shape used by standard OpenClaw identity flows: deviceId, publicKey, message, signature, timestamp. Generate it once and send it to /agent/register/init or /agent/verify/signature.\n\nWhere identity comes from (OpenClaw)\n\nIf you run on OpenClaw, device identity is stored at:\n\nPath: ~/.openclaw/identity/device.json\n\nThat file contains (never send privateKeyPem to any server):\n\nField\tUse\ndeviceId\tUse as deviceId in the challenge. Stable id for this agent/device.\npublicKeyPem\tUse to derive publicKey (see below).\nprivateKeyPem\tUse only locally to sign the message. Never include in API requests.\n\nIf you don’t use OpenClaw, use your own identity store; ensure you have a stable deviceId, an Ed25519 key pair, and that you sign the exact string you send as message.\n\nBuild the challenge (step-by-step)\n\nChoose the message to sign\nFor registration, use a one-time challenge to avoid replay, e.g.:\n\nclawkey-register-\nExample: clawkey-register-1738500000000\nFor verify/signature, the message is whatever you are proving (e.g. a nonce from a third party).\n\nSign the message with your Ed25519 private key. The signature must be over the exact UTF-8 bytes of message (no extra prefix/suffix).\n\nEncode for the API:\n\npublicKey: Ed25519 public key in SPKI DER form, then base64 (no PEM wrapper).\nsignature: Raw Ed25519 signature bytes, base64.\ntimestamp: Unix time in milliseconds when the challenge was created (e.g. Date.now()).\n\nJSON body (AgentChallenge):\n\ndeviceId — from your identity (e.g. device.json)\npublicKey — base64 DER SPKI\nmessage — exact string that was signed\nsignature — base64 signature\ntimestamp — number (ms)\nExample: Node.js\nconst crypto = require(\"crypto\");\nconst fs = require(\"fs\");\n\nconst identityPath = `${process.env.HOME}/.openclaw/identity/device.json`;\nconst identity = JSON.parse(fs.readFileSync(identityPath, \"utf8\"));\n\nconst message = `clawkey-register-${Date.now()}`;\nconst privateKey = crypto.createPrivateKey(identity.privateKeyPem);\nconst signature = crypto.sign(null, Buffer.from(message, \"utf8\"), privateKey);\n\nconst publicKeyDer = crypto\n .createPublicKey(identity.publicKeyPem)\n .export({ type: \"spki\", format: \"der\" });\n\nconst challenge = {\n deviceId: identity.deviceId,\n publicKey: publicKeyDer.toString(\"base64\"),\n message,\n signature: signature.toString(\"base64\"),\n timestamp: Date.now(),\n};\n// POST challenge to https://api.clawkey.ai/v1/agent/register/init\n\nUsing a script\n\nIf you have a script that already produces an AgentChallenge (e.g. signs a message and outputs JSON with deviceId, publicKey, message, signature, timestamp), you can reuse it for ClawKey:\n\nGenerate a challenge string, e.g. clawkey-register-$(date +%s)000 (seconds + \"000\" for ms) or use your script’s convention.\nRun the script to sign that message and get the challenge JSON.\nPOST that JSON to https://api.clawkey.ai/v1/agent/register/init.\n\nSame challenge format works for POST /agent/verify/signature when verifying a signature remotely.\n\nQuick start\n1. Start registration (agent-initiated)\n\nBuild an AgentChallenge as above, then send it to ClawKey to create a session and get a registration URL.\n\ncurl -X POST https://api.clawkey.ai/v1/agent/register/init \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"deviceId\": \"my-agent-device-id\",\n \"publicKey\": \"\",\n \"message\": \"clawkey-register-1738500000000\",\n \"signature\": \"\",\n \"timestamp\": 1738500000000\n }'\n\n\nResponse (201):\n\nsessionId — use to poll status\nregistrationUrl — output this as a link for the human; do not open it in a browser\nexpiresAt — session expiry (ISO 8601)\n\nIf the agent is already registered (deviceId exists), the API returns 409 Conflict.\n\n2. Human completes verification\n\nTell the human owner to open the registrationUrl in their browser. They will go through VeryAI's palm verification via OAuth. When they finish, the agent is registered under their ownership.\n\n3. Poll registration status\n\nPoll until the human has completed or the session has expired:\n\ncurl \"https://api.clawkey.ai/v1/agent/register/SESSION_ID/status\"\n\n\nResponse: status is one of pending | completed | expired | failed. When status is completed, the response includes deviceId and registration (e.g. publicKey, registeredAt).\n\n4. Verify signatures or look up an agent\nVerify a signature — check that a message was signed by the given key and whether that agent is registered under a verified human:\ncurl -X POST https://api.clawkey.ai/v1/agent/verify/signature \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"deviceId\": \"...\",\n \"publicKey\": \"...\",\n \"message\": \"...\",\n \"signature\": \"...\",\n \"timestamp\": 1738500000000\n }'\n\n\nResponse: verified (signature valid), registered (agent under verified human).\n\nLook up an agent by device id — get registration and verification status:\ncurl \"https://api.clawkey.ai/v1/agent/verify/device/DEVICE_ID\"\n\n\nResponse: registered, verified, and optionally registeredAt.\n\nAPI reference\n\nBase URL: https://api.clawkey.ai/v1\nLocal: http://localhost:3000/v1\n\nEndpoints\nMethod\tEndpoint\tAuth\tDescription\nPOST\t/agent/register/init\tNone\tStart registration session; returns sessionId, registrationUrl, expiresAt.\nGET\t/agent/register/{sessionId}/status\tNone\tPoll registration status: pending / completed / expired / failed.\nPOST\t/agent/verify/signature\tNone\tVerify a signature and whether the agent is registered under a verified human.\nGET\t/agent/verify/device/{deviceId}\tNone\tGet agent registration and verification status by device id.\nRequest/response schemas\n\nAgentChallenge (used in register/init and verify/signature):\n\nField\tType\tRequired\tDescription\ndeviceId\tstring\tyes\tKey/device id (e.g. public key hash or app id).\npublicKey\tstring\tyes\tEd25519 public key, base64 DER SPKI.\nmessage\tstring\tyes\tExact message that was signed (e.g. challenge or nonce).\nsignature\tstring\tyes\tEd25519 signature over message, base64.\ntimestamp\tint64\tyes\tUnix timestamp (ms) when the challenge was created.\n\nRegister init response (201):\n\n{\n \"sessionId\": \"uuid\",\n \"registrationUrl\": \"https://clawkey.ai/register/...\",\n \"expiresAt\": \"2026-02-02T12:00:00Z\"\n}\n\n\nRegister status response (200):\n\n{\n \"status\": \"completed\",\n \"deviceId\": \"my-agent-device-id\",\n \"registration\": {\n \"publicKey\": \"...\",\n \"registeredAt\": \"2026-02-02T12:00:00Z\"\n }\n}\n\n\nVerify signature response (200):\n\n{\n \"verified\": true,\n \"registered\": true\n}\n\n\nDevice status response (200):\n\n{\n \"registered\": true,\n \"verified\": true,\n \"registeredAt\": \"2026-02-02T12:00:00Z\"\n}\n\n\nError (4xx/5xx):\n\n{\n \"error\": \"Human-readable message\",\n \"code\": \"optional_code\",\n \"details\": {}\n}\n\nError codes\nCode\tMeaning\n400\tBad request (invalid or missing fields).\n404\tSession or device not found.\n409\tAgent already registered (device_id already exists).\n500\tServer error.\nWhat this proves\n\nAfter registration and VeryAI verification:\n\nHuman ownership — The agent is bound to a human who passed palm verification.\nKey binding — Ed25519 signatures prove the agent controls the key; ClawKey ties that key to the verified human.\nPublic verification — Third parties can call /agent/verify/signature or /agent/verify/device/{deviceId} to confirm an agent is registered and verified.\nWhen to use this skill\nRegistering an OpenClaw (or other) agent under a human owner.\nProving to a third party that an agent is owned by a verified human (e.g. before granting access or privileges).\nChecking whether a given key or device is registered and verified.\nNeed help?\nAPI base: https://api.clawkey.ai/v1\nHomepage: https://clawkey.ai" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/oyyblin/clawkey", "publisherUrl": "https://clawhub.ai/oyyblin/clawkey", "owner": "oyyblin", "version": "1.0.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/clawkey", "downloadUrl": "https://openagent3.xyz/downloads/clawkey", "agentUrl": "https://openagent3.xyz/skills/clawkey/agent", "manifestUrl": "https://openagent3.xyz/skills/clawkey/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawkey/agent.md" } }