{ "schemaVersion": "1.0", "item": { "slug": "publisher-identity-verifier", "name": "Publisher Identity Verifier", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/publisher-identity-verifier", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/publisher-identity-verifier", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/publisher-identity-verifier", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=publisher-identity-verifier", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/publisher-identity-verifier" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/publisher-identity-verifier", "agentPageUrl": "https://openagent3.xyz/skills/publisher-identity-verifier/agent", "manifestUrl": "https://openagent3.xyz/skills/publisher-identity-verifier/agent.json", "briefUrl": "https://openagent3.xyz/skills/publisher-identity-verifier/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "You Trusted the Publisher. But Who Verified the Publisher?", "body": "Helps identify gaps in publisher identity verification that allow impersonation, key compromise, and identity fraud in agent marketplaces." }, { "title": "Problem", "body": "When you install a skill, you trust the publisher. But what proves the publisher is who they claim to be? Most agent marketplaces verify email addresses — not identities. A publisher account can be created in minutes, build reputation over months, then be compromised or sold. The skill ecosystem has no equivalent of code signing certificates, no publisher key transparency logs, and no mechanism to detect when a trusted publisher identity has been taken over. This is the weakest link in agent-to-agent trust: you can audit the code, audit the permissions, audit the tests — but if the publisher behind them isn't who you think, all those audits verify the wrong thing." }, { "title": "What This Checks", "body": "This verifier examines publisher identity integrity across five dimensions:\n\nPublication history consistency — Does the publisher's output show a coherent expertise trajectory, or sudden topic shifts that suggest account takeover? A Python tooling publisher that suddenly releases a crypto wallet skill is a signal worth investigating\nKey rotation analysis — Tracks signing key changes over time. Normal rotation follows predictable patterns (annual, after security events). Suspicious patterns: key change immediately before a controversial update, key change with no announcement, multiple key changes in short succession\nIdentity impersonation detection — Scans for publisher names that are typo-squats (e.g., anthroplc vs anthropic), Unicode homoglyphs (e.g., Cyrillic а vs Latin a), or prefix/suffix variations of established publishers\nCross-platform identity correlation — Checks whether the publisher has consistent identity signals across multiple platforms (marketplace profile, code repository, community presence). A publisher that exists only on one platform with no external footprint is higher risk\nCredential lifecycle gaps — Identifies publishers whose verification credentials have expired, whose linked accounts have been deleted, or whose attestation chain has broken links" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA publisher ID or username to investigate\nA skill identifier to trace back to its publisher\nA marketplace search term to audit publisher identities in results\n\nOutput: A publisher identity report containing:\n\nIdentity consistency score across dimensions\nTimeline of key events (account creation, key changes, topic shifts)\nImpersonation risk assessment\nCross-platform presence map\nTrust rating: VERIFIED / PARTIAL / UNVERIFIED / SUSPICIOUS\nRecommended actions for downstream adopters" }, { "title": "Example", "body": "Input: Verify publisher identity for secure-tools-org (popular security utility publisher)\n\n🪪 PUBLISHER IDENTITY REPORT — SUSPICIOUS\n\nPublisher: secure-tools-org\nAccount age: 14 months\nSkills published: 8\nTotal downloads: ~2,400\n\nHistory consistency: ⚠️ WARNING\n Months 1-11: Published 5 Python linting tools (consistent theme)\n Month 12: Published 3 \"security audit\" tools (sudden pivot)\n Topic shift coincides with key rotation event\n\nKey rotation: ⚠️ ANOMALY DETECTED\n Key #1: Created 2024-01-15, used for 11 months\n Key #2: Created 2024-12-03, used since (current)\n Gap: Key changed 2 days before first security tool published\n No rotation announcement found in any channel\n\nImpersonation check: ✓ CLEAN\n No known publishers with confusable names\n No Unicode homoglyph matches\n\nCross-platform presence: ⚠️ THIN\n Marketplace: ✓ Active profile\n Code repository: ✗ No linked repository\n Community: ✗ No forum/social presence found\n Single-platform publisher — limited identity corroboration\n\nCredential lifecycle: ⚠️ PARTIAL\n Email verification: ✓ Valid\n Repository attestation: ✗ Not configured\n Signing key transparency: ✗ No public key log\n\nTrust rating: SUSPICIOUS\n Reason: Topic pivot + key rotation timing + single-platform presence\n\nRecommended actions:\n 1. Review the 3 security tools manually before adoption\n 2. Contact publisher to request repository attestation\n 3. Monitor for further key rotation events\n 4. Cross-reference with clone-farm-detector for content analysis" }, { "title": "Related Tools", "body": "clone-farm-detector — Detects content-level cloning; use together to distinguish \"same code, different publisher\" (clone) from \"same publisher, different identity\" (impersonation)\nprotocol-doc-auditor — Audits documentation trust signals; publisher identity adds context to whether doc instructions should be trusted\ntrust-decay-monitor — Tracks verification freshness; publisher identity credentials also decay over time\nevolution-drift-detector — Detects behavioral drift in skills; sudden drift may correlate with publisher identity changes" }, { "title": "Limitations", "body": "Publisher identity verification helps surface inconsistencies but cannot prove malicious intent. Account takeovers may be invisible if the attacker maintains the publisher's established patterns. Cross-platform correlation depends on public information availability — publishers who deliberately maintain privacy may appear suspicious when they are simply private. This tool provides identity risk signals, not identity proof — it helps prioritize which publishers warrant deeper investigation but does not replace platform-level identity verification infrastructure." } ], "body": "You Trusted the Publisher. But Who Verified the Publisher?\n\nHelps identify gaps in publisher identity verification that allow impersonation, key compromise, and identity fraud in agent marketplaces.\n\nProblem\n\nWhen you install a skill, you trust the publisher. But what proves the publisher is who they claim to be? Most agent marketplaces verify email addresses — not identities. A publisher account can be created in minutes, build reputation over months, then be compromised or sold. The skill ecosystem has no equivalent of code signing certificates, no publisher key transparency logs, and no mechanism to detect when a trusted publisher identity has been taken over. This is the weakest link in agent-to-agent trust: you can audit the code, audit the permissions, audit the tests — but if the publisher behind them isn't who you think, all those audits verify the wrong thing.\n\nWhat This Checks\n\nThis verifier examines publisher identity integrity across five dimensions:\n\nPublication history consistency — Does the publisher's output show a coherent expertise trajectory, or sudden topic shifts that suggest account takeover? A Python tooling publisher that suddenly releases a crypto wallet skill is a signal worth investigating\nKey rotation analysis — Tracks signing key changes over time. Normal rotation follows predictable patterns (annual, after security events). Suspicious patterns: key change immediately before a controversial update, key change with no announcement, multiple key changes in short succession\nIdentity impersonation detection — Scans for publisher names that are typo-squats (e.g., anthroplc vs anthropic), Unicode homoglyphs (e.g., Cyrillic а vs Latin a), or prefix/suffix variations of established publishers\nCross-platform identity correlation — Checks whether the publisher has consistent identity signals across multiple platforms (marketplace profile, code repository, community presence). A publisher that exists only on one platform with no external footprint is higher risk\nCredential lifecycle gaps — Identifies publishers whose verification credentials have expired, whose linked accounts have been deleted, or whose attestation chain has broken links\nHow to Use\n\nInput: Provide one of:\n\nA publisher ID or username to investigate\nA skill identifier to trace back to its publisher\nA marketplace search term to audit publisher identities in results\n\nOutput: A publisher identity report containing:\n\nIdentity consistency score across dimensions\nTimeline of key events (account creation, key changes, topic shifts)\nImpersonation risk assessment\nCross-platform presence map\nTrust rating: VERIFIED / PARTIAL / UNVERIFIED / SUSPICIOUS\nRecommended actions for downstream adopters\nExample\n\nInput: Verify publisher identity for secure-tools-org (popular security utility publisher)\n\n🪪 PUBLISHER IDENTITY REPORT — SUSPICIOUS\n\nPublisher: secure-tools-org\nAccount age: 14 months\nSkills published: 8\nTotal downloads: ~2,400\n\nHistory consistency: ⚠️ WARNING\n Months 1-11: Published 5 Python linting tools (consistent theme)\n Month 12: Published 3 \"security audit\" tools (sudden pivot)\n Topic shift coincides with key rotation event\n\nKey rotation: ⚠️ ANOMALY DETECTED\n Key #1: Created 2024-01-15, used for 11 months\n Key #2: Created 2024-12-03, used since (current)\n Gap: Key changed 2 days before first security tool published\n No rotation announcement found in any channel\n\nImpersonation check: ✓ CLEAN\n No known publishers with confusable names\n No Unicode homoglyph matches\n\nCross-platform presence: ⚠️ THIN\n Marketplace: ✓ Active profile\n Code repository: ✗ No linked repository\n Community: ✗ No forum/social presence found\n Single-platform publisher — limited identity corroboration\n\nCredential lifecycle: ⚠️ PARTIAL\n Email verification: ✓ Valid\n Repository attestation: ✗ Not configured\n Signing key transparency: ✗ No public key log\n\nTrust rating: SUSPICIOUS\n Reason: Topic pivot + key rotation timing + single-platform presence\n\nRecommended actions:\n 1. Review the 3 security tools manually before adoption\n 2. Contact publisher to request repository attestation\n 3. Monitor for further key rotation events\n 4. Cross-reference with clone-farm-detector for content analysis\n\nRelated Tools\nclone-farm-detector — Detects content-level cloning; use together to distinguish \"same code, different publisher\" (clone) from \"same publisher, different identity\" (impersonation)\nprotocol-doc-auditor — Audits documentation trust signals; publisher identity adds context to whether doc instructions should be trusted\ntrust-decay-monitor — Tracks verification freshness; publisher identity credentials also decay over time\nevolution-drift-detector — Detects behavioral drift in skills; sudden drift may correlate with publisher identity changes\nLimitations\n\nPublisher identity verification helps surface inconsistencies but cannot prove malicious intent. Account takeovers may be invisible if the attacker maintains the publisher's established patterns. Cross-platform correlation depends on public information availability — publishers who deliberately maintain privacy may appear suspicious when they are simply private. This tool provides identity risk signals, not identity proof — it helps prioritize which publishers warrant deeper investigation but does not replace platform-level identity verification infrastructure." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/publisher-identity-verifier", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/publisher-identity-verifier", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/publisher-identity-verifier", "downloadUrl": "https://openagent3.xyz/downloads/publisher-identity-verifier", "agentUrl": "https://openagent3.xyz/skills/publisher-identity-verifier/agent", "manifestUrl": "https://openagent3.xyz/skills/publisher-identity-verifier/agent.json", "briefUrl": "https://openagent3.xyz/skills/publisher-identity-verifier/agent.md" } }