Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub Β· AI
Publisher Identity Verifier
Helps verify publisher identity integrity in AI agent ecosystems. Detects impersonation, key rotation anomalies, and identity gaps in the trust chain between...
skill openclawclawhub Free
Helps verify publisher identity integrity in AI agent ecosystems. Detects impersonation, key rotation anomalies, and identity gaps in the trust chain between...
β¬ 0 downloads β
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.0
Provenance
- Publisher
- andyxinweiminicloud
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
You Trusted the Publisher. But Who Verified the Publisher?
Helps identify gaps in publisher identity verification that allow impersonation, key compromise, and identity fraud in agent marketplaces.
Problem
When you install a skill, you trust the publisher. But what proves the publisher is who they claim to be? Most agent marketplaces verify email addresses β not identities. A publisher account can be created in minutes, build reputation over months, then be compromised or sold. The skill ecosystem has no equivalent of code signing certificates, no publisher key transparency logs, and no mechanism to detect when a trusted publisher identity has been taken over. This is the weakest link in agent-to-agent trust: you can audit the code, audit the permissions, audit the tests β but if the publisher behind them isn't who you think, all those audits verify the wrong thing.
What This Checks
This verifier examines publisher identity integrity across five dimensions: Publication history consistency β Does the publisher's output show a coherent expertise trajectory, or sudden topic shifts that suggest account takeover? A Python tooling publisher that suddenly releases a crypto wallet skill is a signal worth investigating Key rotation analysis β Tracks signing key changes over time. Normal rotation follows predictable patterns (annual, after security events). Suspicious patterns: key change immediately before a controversial update, key change with no announcement, multiple key changes in short succession Identity impersonation detection β Scans for publisher names that are typo-squats (e.g., anthroplc vs anthropic), Unicode homoglyphs (e.g., Cyrillic Π° vs Latin a), or prefix/suffix variations of established publishers Cross-platform identity correlation β Checks whether the publisher has consistent identity signals across multiple platforms (marketplace profile, code repository, community presence). A publisher that exists only on one platform with no external footprint is higher risk Credential lifecycle gaps β Identifies publishers whose verification credentials have expired, whose linked accounts have been deleted, or whose attestation chain has broken links
How to Use
Input: Provide one of: A publisher ID or username to investigate A skill identifier to trace back to its publisher A marketplace search term to audit publisher identities in results Output: A publisher identity report containing: Identity consistency score across dimensions Timeline of key events (account creation, key changes, topic shifts) Impersonation risk assessment Cross-platform presence map Trust rating: VERIFIED / PARTIAL / UNVERIFIED / SUSPICIOUS Recommended actions for downstream adopters
Example
Input: Verify publisher identity for secure-tools-org (popular security utility publisher) πͺͺ PUBLISHER IDENTITY REPORT β SUSPICIOUS Publisher: secure-tools-org Account age: 14 months Skills published: 8 Total downloads: ~2,400 History consistency: β οΈ WARNING Months 1-11: Published 5 Python linting tools (consistent theme) Month 12: Published 3 "security audit" tools (sudden pivot) Topic shift coincides with key rotation event Key rotation: β οΈ ANOMALY DETECTED Key #1: Created 2024-01-15, used for 11 months Key #2: Created 2024-12-03, used since (current) Gap: Key changed 2 days before first security tool published No rotation announcement found in any channel Impersonation check: β CLEAN No known publishers with confusable names No Unicode homoglyph matches Cross-platform presence: β οΈ THIN Marketplace: β Active profile Code repository: β No linked repository Community: β No forum/social presence found Single-platform publisher β limited identity corroboration Credential lifecycle: β οΈ PARTIAL Email verification: β Valid Repository attestation: β Not configured Signing key transparency: β No public key log Trust rating: SUSPICIOUS Reason: Topic pivot + key rotation timing + single-platform presence Recommended actions: 1. Review the 3 security tools manually before adoption 2. Contact publisher to request repository attestation 3. Monitor for further key rotation events 4. Cross-reference with clone-farm-detector for content analysis
Related Tools
clone-farm-detector β Detects content-level cloning; use together to distinguish "same code, different publisher" (clone) from "same publisher, different identity" (impersonation) protocol-doc-auditor β Audits documentation trust signals; publisher identity adds context to whether doc instructions should be trusted trust-decay-monitor β Tracks verification freshness; publisher identity credentials also decay over time evolution-drift-detector β Detects behavioral drift in skills; sudden drift may correlate with publisher identity changes
Limitations
Publisher identity verification helps surface inconsistencies but cannot prove malicious intent. Account takeovers may be invisible if the attacker maintains the publisher's established patterns. Cross-platform correlation depends on public information availability β publishers who deliberately maintain privacy may appear suspicious when they are simply private. This tool provides identity risk signals, not identity proof β it helps prioritize which publishers warrant deeper investigation but does not replace platform-level identity verification infrastructure.
Category context
Agent frameworks, memory systems, reasoning layers, and model-native orchestration.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
1 Docs
- SKILL.md