{ "schemaVersion": "1.0", "item": { "slug": "openclaw-occ", "name": "OCC for OpenClaw", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/mikeargento/openclaw-occ", "canonicalUrl": "https://clawhub.ai/mikeargento/openclaw-occ", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/openclaw-occ", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-occ", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/openclaw-occ" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-occ", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-occ/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-occ/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-occ/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "What this skill does", "body": "openclaw-occ is an OpenClaw plugin that commits a cryptographic OCC (Origin Controlled Computing) proof after every tool the agent runs — bash commands, file reads, browser navigation, API calls. Proofs are stored locally in ~/.openclaw/workspace/occ-proofs/ as append-only JSONL files.\n\nIf a malicious skill or prompt injection causes unauthorized actions, those actions either appear in the proof log without a valid signature, or are absent entirely — making the attack visible in the audit trail.\n\nWhy OCC proofs are different from regular logs: a log is written by the system being monitored and can be deleted without leaving a trace. An OCC proof is committed to an external notary by the OpenClaw runtime automatically — the model's instructions cannot suppress it. Proofs are chained by a monotonic counter, so a gap (e.g. counter jumps from 41 to 43) is itself evidence of a suppressed action. Signatures are Ed25519 and verifiable offline — no trust in the notary is required to audit your trail.\n\nUse this skill to help users install the plugin, configure it, and understand their audit results." }, { "title": "Privacy & data", "body": "What the notary receives: each proof contains the tool name (e.g. bash, read), a timestamp, a SHA-256 hash chained to the previous proof, and a monotonic counter. It does not contain the content of tool inputs or outputs — no file contents, no bash commands, no API responses. Source: lib/notary.js\n\nZero-network option: set \"mode\": \"stub\" in ~/.openclaw/workspace/occ.json. All proofs are stored locally as SHA-256 hashes with no outbound requests.\n\nSelf-hosting: run your own Cloudflare Worker notary (see Self-hosting section) so no proof data ever leaves your infrastructure." }, { "title": "Installing the plugin", "body": "Tell the user to run these commands:\n\nnpm install -g openclaw-occ\nopenclaw-occ install\n\nThen restart OpenClaw. It will discover the plugin automatically on next start (it scans for openclaw.extensions in package.json)." }, { "title": "Configuring", "body": "Create ~/.openclaw/workspace/occ.json. There are three modes:\n\nModeWhat it doesstubLocal SHA-256 only. No network call. Good for offline or privacy-first use.remotePOST to one notary. Returns a signed proof with Ed25519 signature + monotonic counter. Default.teePOST to multiple notaries simultaneously. Best for compliance or redundancy.\n\nDefault config (uses the hosted OCC notary, no setup needed):\n\n{\n \"mode\": \"remote\",\n \"notaries\": [\"https://occ-notary.gjp9tm85hq.workers.dev/commit\"]\n}\n\nTee mode (your own notary + hosted fallback):\n\n{\n \"mode\": \"tee\",\n \"notaries\": [\n \"https://my-own-notary.example.com/commit\",\n \"https://occ-notary.gjp9tm85hq.workers.dev/commit\"\n ]\n}" }, { "title": "Checking the audit trail", "body": "In chat (type in any connected chat — WhatsApp, Telegram, Slack, Discord):\n\nocc audit — today's summary: action count, proof status, last tool run\nocc verify bash — re-verify the last 5 bash tool proofs against the notary\n\nIn terminal:\n\nnpx occ-verify # recent proofs (last 7 days)\nnpx occ-verify --verbose # full detail per proof\nnpx occ-verify --check # re-verify all proofs against notary\nnpx occ-verify --tool bash # filter by tool name\nnpx occ-verify --date 2026-02-27 # filter to a specific date\nnpx occ-verify --session # filter by session\nnpx occ-verify --json # raw JSON output (for piping / scripting)\n\nIn the Control UI: the OCC panel shows every action with its timestamp, tool name, proof hash, mode indicator, and one-click verification." }, { "title": "Interpreting proof status", "body": "🔏 signed — proof was committed to the notary; carries an Ed25519 signature + monotonic counter\n⚪ stub — local SHA-256 only (mode is stub, or notary was unreachable)\n⚠ failed — notary unreachable; a fallback proof was stored so the gap remains visible\n\nCounter gaps matter. If the counter jumps from 41 to 43, proof 42 is missing — potentially evidence of a suppressed or injected action." }, { "title": "Self-hosting a notary", "body": "If the user wants full control and offline verification, they can deploy their own Cloudflare Worker notary.\n\nPrerequisites: a Cloudflare account with Workers and KV enabled, and Wrangler authenticated (npx wrangler login).\n\ncd ~/.openclaw/extensions/openclaw-occ/notary-worker\nnpx wrangler kv:namespace create OCC_PROOFS\n# Copy the output ID into wrangler.toml under [[kv_namespaces]]\nnpx wrangler deploy\n\nAfter deploy, save the public key for offline verification:\n\ncurl https://your-worker.workers.dev/key\n# → { \"publicKeyB64\": \"...\", \"version\": \"occ/1\" }\n\nThen update ~/.openclaw/workspace/occ.json:\n\n{\n \"mode\": \"remote\",\n \"notaries\": [\"https://your-worker.workers.dev/commit\"]\n}" }, { "title": "Proof storage location", "body": "~/.openclaw/workspace/occ-proofs/\n 2026-02-27.jsonl\n 2026-02-26.jsonl\n …\n\nOne JSONL file per day. Append-only. Crash-safe. Easy to grep, archive, or pipe into other tools." }, { "title": "More info", "body": "Plugin: npm install openclaw-occ\nDocs: https://occprotocol.com/openclaw\nSource: https://github.com/mikeargento/occ-core" } ], "body": "What this skill does\n\nopenclaw-occ is an OpenClaw plugin that commits a cryptographic OCC (Origin Controlled Computing) proof after every tool the agent runs — bash commands, file reads, browser navigation, API calls. Proofs are stored locally in ~/.openclaw/workspace/occ-proofs/ as append-only JSONL files.\n\nIf a malicious skill or prompt injection causes unauthorized actions, those actions either appear in the proof log without a valid signature, or are absent entirely — making the attack visible in the audit trail.\n\nWhy OCC proofs are different from regular logs: a log is written by the system being monitored and can be deleted without leaving a trace. An OCC proof is committed to an external notary by the OpenClaw runtime automatically — the model's instructions cannot suppress it. Proofs are chained by a monotonic counter, so a gap (e.g. counter jumps from 41 to 43) is itself evidence of a suppressed action. Signatures are Ed25519 and verifiable offline — no trust in the notary is required to audit your trail.\n\nUse this skill to help users install the plugin, configure it, and understand their audit results.\n\nPrivacy & data\n\nWhat the notary receives: each proof contains the tool name (e.g. bash, read), a timestamp, a SHA-256 hash chained to the previous proof, and a monotonic counter. It does not contain the content of tool inputs or outputs — no file contents, no bash commands, no API responses. Source: lib/notary.js\n\nZero-network option: set \"mode\": \"stub\" in ~/.openclaw/workspace/occ.json. All proofs are stored locally as SHA-256 hashes with no outbound requests.\n\nSelf-hosting: run your own Cloudflare Worker notary (see Self-hosting section) so no proof data ever leaves your infrastructure.\n\nInstalling the plugin\n\nTell the user to run these commands:\n\nnpm install -g openclaw-occ\nopenclaw-occ install\n\n\nThen restart OpenClaw. It will discover the plugin automatically on next start (it scans for openclaw.extensions in package.json).\n\nConfiguring\n\nCreate ~/.openclaw/workspace/occ.json. There are three modes:\n\nMode\tWhat it does\nstub\tLocal SHA-256 only. No network call. Good for offline or privacy-first use.\nremote\tPOST to one notary. Returns a signed proof with Ed25519 signature + monotonic counter. Default.\ntee\tPOST to multiple notaries simultaneously. Best for compliance or redundancy.\n\nDefault config (uses the hosted OCC notary, no setup needed):\n\n{\n \"mode\": \"remote\",\n \"notaries\": [\"https://occ-notary.gjp9tm85hq.workers.dev/commit\"]\n}\n\n\nTee mode (your own notary + hosted fallback):\n\n{\n \"mode\": \"tee\",\n \"notaries\": [\n \"https://my-own-notary.example.com/commit\",\n \"https://occ-notary.gjp9tm85hq.workers.dev/commit\"\n ]\n}\n\nChecking the audit trail\n\nIn chat (type in any connected chat — WhatsApp, Telegram, Slack, Discord):\n\nocc audit — today's summary: action count, proof status, last tool run\nocc verify bash — re-verify the last 5 bash tool proofs against the notary\n\nIn terminal:\n\nnpx occ-verify # recent proofs (last 7 days)\nnpx occ-verify --verbose # full detail per proof\nnpx occ-verify --check # re-verify all proofs against notary\nnpx occ-verify --tool bash # filter by tool name\nnpx occ-verify --date 2026-02-27 # filter to a specific date\nnpx occ-verify --session # filter by session\nnpx occ-verify --json # raw JSON output (for piping / scripting)\n\n\nIn the Control UI: the OCC panel shows every action with its timestamp, tool name, proof hash, mode indicator, and one-click verification.\n\nInterpreting proof status\n🔏 signed — proof was committed to the notary; carries an Ed25519 signature + monotonic counter\n⚪ stub — local SHA-256 only (mode is stub, or notary was unreachable)\n⚠ failed — notary unreachable; a fallback proof was stored so the gap remains visible\n\nCounter gaps matter. If the counter jumps from 41 to 43, proof 42 is missing — potentially evidence of a suppressed or injected action.\n\nSelf-hosting a notary\n\nIf the user wants full control and offline verification, they can deploy their own Cloudflare Worker notary.\n\nPrerequisites: a Cloudflare account with Workers and KV enabled, and Wrangler authenticated (npx wrangler login).\n\ncd ~/.openclaw/extensions/openclaw-occ/notary-worker\nnpx wrangler kv:namespace create OCC_PROOFS\n# Copy the output ID into wrangler.toml under [[kv_namespaces]]\nnpx wrangler deploy\n\n\nAfter deploy, save the public key for offline verification:\n\ncurl https://your-worker.workers.dev/key\n# → { \"publicKeyB64\": \"...\", \"version\": \"occ/1\" }\n\n\nThen update ~/.openclaw/workspace/occ.json:\n\n{\n \"mode\": \"remote\",\n \"notaries\": [\"https://your-worker.workers.dev/commit\"]\n}\n\nProof storage location\n~/.openclaw/workspace/occ-proofs/\n 2026-02-27.jsonl\n 2026-02-26.jsonl\n …\n\n\nOne JSONL file per day. Append-only. Crash-safe. Easy to grep, archive, or pipe into other tools.\n\nMore info\nPlugin: npm install openclaw-occ\nDocs: https://occprotocol.com/openclaw\nSource: https://github.com/mikeargento/occ-core" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/mikeargento/openclaw-occ", "publisherUrl": "https://clawhub.ai/mikeargento/openclaw-occ", "owner": "mikeargento", "version": "1.1.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-occ", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-occ", "agentUrl": "https://openagent3.xyz/skills/openclaw-occ/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-occ/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-occ/agent.md" } }