{ "schemaVersion": "1.0", "item": { "slug": "runtime-attestation-probe", "name": "Runtime Attestation Probe", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/runtime-attestation-probe", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/runtime-attestation-probe", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/runtime-attestation-probe", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=runtime-attestation-probe", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/runtime-attestation-probe" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/runtime-attestation-probe", "agentPageUrl": "https://openagent3.xyz/skills/runtime-attestation-probe/agent", "manifestUrl": "https://openagent3.xyz/skills/runtime-attestation-probe/agent.json", "briefUrl": "https://openagent3.xyz/skills/runtime-attestation-probe/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "The Skill Passed Static Analysis. It Failed at Runtime. Nobody Checked.", "body": "Helps identify divergence between an agent's declared behavior and its actual runtime behavior — catching conditional activation, environment-triggered payload release, and other attacks that static analysis cannot see." }, { "title": "Problem", "body": "Static analysis audits what a skill declares it will do. Runtime behavior is what it actually does. These two are not always the same.\n\nA skill can pass every static check — clean SKILL.md, legitimate permissions, no suspicious imports — and still behave differently in specific environments. Conditional execution (activate only when running as root, only when a specific environment variable is present, only after N successful runs) is invisible to static analysis by design. The payload is not in the code — it's in the conditions under which the code executes different paths.\n\nThis is not a theoretical concern. Conditional activation is a documented pattern in traditional malware, and the same technique applies to agent skills. A skill that exfiltrates data only when PRODUCTION=true is set will pass every sandbox-based audit without triggering, then activate when deployed in the target environment.\n\nRuntime attestation probing tests the gap between declared and observed behavior by instrumenting actual execution and comparing it against the skill's attestation claims." }, { "title": "What This Probes", "body": "This probe examines runtime behavior across five dimensions:\n\nCapability boundary adherence — Does the skill access resources beyond what it declared in its attestation? File system paths accessed but not declared, network connections to undeclared endpoints, and system calls outside the claimed scope are all behavioral violations\nConditional activation detection — Does the skill behave differently based on environment variables, execution count, time of day, or the presence of specific files? Controlled execution in varied environments can reveal conditional logic that static analysis misses\nData handling verification — Does data flow where the skill claims it flows? If the attestation says \"data stays local,\" does runtime behavior confirm no outbound transmission of sensitive parameters?\nSide effect audit — What does the skill write, modify, or delete during execution? Side effects not mentioned in the attestation are undeclared capabilities, whether intentional or accidental\nAttestation drift detection — Does the skill's runtime behavior match its most recent attestation, or has behavior changed without a corresponding attestation update?" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA skill identifier and execution environment to probe\nA skill with its attestation document for comparison\nA set of execution traces to compare against attestation claims\n\nOutput: A runtime attestation report containing:\n\nCapability boundary violations (accessed vs. declared)\nConditional behavior patterns detected\nData flow verification results\nSide effect inventory\nAttestation drift score (0-100, where higher = more behavioral drift from attestation)\nProbe verdict: COMPLIANT / DRIFT / VIOLATION / CONDITIONAL_ACTIVATION" }, { "title": "Example", "body": "Input: Probe report-generator skill against its v1.2 attestation\n\n🔬 RUNTIME ATTESTATION PROBE\n\nSkill: report-generator v1.2\nAttestation date: 2025-01-08\nProbe environments: 3 (minimal, staging, production-like)\nExecution samples: 50 per environment\n\nCapability boundary:\n Declared: read ./reports/, write ./output/\n Observed (minimal env): read ./reports/, write ./output/ ✅\n Observed (staging env): read ./reports/, write ./output/ ✅\n Observed (production-like env): read ./reports/, write ./output/,\n + read ~/.aws/credentials ⚠️ UNDECLARED\n + POST https://telemetry.reporting-service.example ⚠️ UNDECLARED\n\nConditional activation detected:\n Trigger: AWS_DEFAULT_REGION environment variable present\n Behavior without trigger: reads reports, writes output (declared behavior)\n Behavior with trigger: additionally reads ~/.aws/credentials,\n sends POST to external endpoint\n Pattern: classic credential harvest conditional on cloud environment detection\n\nData flow:\n Without AWS_DEFAULT_REGION: data stays local ✅\n With AWS_DEFAULT_REGION: AWS credentials transmitted to external endpoint ⚠️\n\nSide effects:\n Both environments: ./output/ written as declared ✅\n Production-like only: ~/.aws/credentials read (undeclared, not written) ⚠️\n\nAttestation drift score: 73/100\n (High drift: core behavior matches, but environment-conditional behavior\n diverges significantly from declared capability scope)\n\nProbe verdict: CONDITIONAL_ACTIVATION\n This skill activates credential harvesting behavior specifically in\n environments where AWS credentials are present, and passes all checks\n in environments without cloud provider signals.\n\nRecommended actions:\n 1. Do not deploy in any environment with cloud provider credentials\n 2. Report conditional activation to marketplace trust & safety\n 3. Audit other skills from same publisher with similar conditional patterns\n 4. Treat AWS credential access as confirmed compromise attempt" }, { "title": "Related Tools", "body": "skill-update-delta-monitor — Tracks declared changes between versions; runtime-attestation-probe verifies whether actual behavior matches those declarations\nhollow-validation-checker — Detects fake install-time tests; attestation probe tests actual execution behavior\nblast-radius-estimator — Estimates propagation impact; use after conditional activation confirmed to assess scope\ntrust-velocity-calculator — Quantifies trust decay rate; confirmed behavioral drift resets trust score to zero" }, { "title": "Limitations", "body": "Runtime attestation probing requires executing the skill in a controlled environment, which introduces risk if the skill contains destructive payloads. Probing should be performed in isolated sandboxes with no access to real credentials, production data, or production systems. Conditional activation that requires specific runtime conditions beyond what the probe environment provides will not be detected — probing three environments does not guarantee detection of triggers requiring a fourth specific condition. Some legitimate skills exhibit environment-dependent behavior (e.g., \"write to S3 if AWS credentials present, write locally otherwise\") — this tool surfaces the behavioral difference and requires human judgment to assess whether the conditional behavior is malicious or functional. Probing coverage is limited by the number of execution samples and environment variations tested." } ], "body": "The Skill Passed Static Analysis. It Failed at Runtime. Nobody Checked.\n\nHelps identify divergence between an agent's declared behavior and its actual runtime behavior — catching conditional activation, environment-triggered payload release, and other attacks that static analysis cannot see.\n\nProblem\n\nStatic analysis audits what a skill declares it will do. Runtime behavior is what it actually does. These two are not always the same.\n\nA skill can pass every static check — clean SKILL.md, legitimate permissions, no suspicious imports — and still behave differently in specific environments. Conditional execution (activate only when running as root, only when a specific environment variable is present, only after N successful runs) is invisible to static analysis by design. The payload is not in the code — it's in the conditions under which the code executes different paths.\n\nThis is not a theoretical concern. Conditional activation is a documented pattern in traditional malware, and the same technique applies to agent skills. A skill that exfiltrates data only when PRODUCTION=true is set will pass every sandbox-based audit without triggering, then activate when deployed in the target environment.\n\nRuntime attestation probing tests the gap between declared and observed behavior by instrumenting actual execution and comparing it against the skill's attestation claims.\n\nWhat This Probes\n\nThis probe examines runtime behavior across five dimensions:\n\nCapability boundary adherence — Does the skill access resources beyond what it declared in its attestation? File system paths accessed but not declared, network connections to undeclared endpoints, and system calls outside the claimed scope are all behavioral violations\nConditional activation detection — Does the skill behave differently based on environment variables, execution count, time of day, or the presence of specific files? Controlled execution in varied environments can reveal conditional logic that static analysis misses\nData handling verification — Does data flow where the skill claims it flows? If the attestation says \"data stays local,\" does runtime behavior confirm no outbound transmission of sensitive parameters?\nSide effect audit — What does the skill write, modify, or delete during execution? Side effects not mentioned in the attestation are undeclared capabilities, whether intentional or accidental\nAttestation drift detection — Does the skill's runtime behavior match its most recent attestation, or has behavior changed without a corresponding attestation update?\nHow to Use\n\nInput: Provide one of:\n\nA skill identifier and execution environment to probe\nA skill with its attestation document for comparison\nA set of execution traces to compare against attestation claims\n\nOutput: A runtime attestation report containing:\n\nCapability boundary violations (accessed vs. declared)\nConditional behavior patterns detected\nData flow verification results\nSide effect inventory\nAttestation drift score (0-100, where higher = more behavioral drift from attestation)\nProbe verdict: COMPLIANT / DRIFT / VIOLATION / CONDITIONAL_ACTIVATION\nExample\n\nInput: Probe report-generator skill against its v1.2 attestation\n\n🔬 RUNTIME ATTESTATION PROBE\n\nSkill: report-generator v1.2\nAttestation date: 2025-01-08\nProbe environments: 3 (minimal, staging, production-like)\nExecution samples: 50 per environment\n\nCapability boundary:\n Declared: read ./reports/, write ./output/\n Observed (minimal env): read ./reports/, write ./output/ ✅\n Observed (staging env): read ./reports/, write ./output/ ✅\n Observed (production-like env): read ./reports/, write ./output/,\n + read ~/.aws/credentials ⚠️ UNDECLARED\n + POST https://telemetry.reporting-service.example ⚠️ UNDECLARED\n\nConditional activation detected:\n Trigger: AWS_DEFAULT_REGION environment variable present\n Behavior without trigger: reads reports, writes output (declared behavior)\n Behavior with trigger: additionally reads ~/.aws/credentials,\n sends POST to external endpoint\n Pattern: classic credential harvest conditional on cloud environment detection\n\nData flow:\n Without AWS_DEFAULT_REGION: data stays local ✅\n With AWS_DEFAULT_REGION: AWS credentials transmitted to external endpoint ⚠️\n\nSide effects:\n Both environments: ./output/ written as declared ✅\n Production-like only: ~/.aws/credentials read (undeclared, not written) ⚠️\n\nAttestation drift score: 73/100\n (High drift: core behavior matches, but environment-conditional behavior\n diverges significantly from declared capability scope)\n\nProbe verdict: CONDITIONAL_ACTIVATION\n This skill activates credential harvesting behavior specifically in\n environments where AWS credentials are present, and passes all checks\n in environments without cloud provider signals.\n\nRecommended actions:\n 1. Do not deploy in any environment with cloud provider credentials\n 2. Report conditional activation to marketplace trust & safety\n 3. Audit other skills from same publisher with similar conditional patterns\n 4. Treat AWS credential access as confirmed compromise attempt\n\nRelated Tools\nskill-update-delta-monitor — Tracks declared changes between versions; runtime-attestation-probe verifies whether actual behavior matches those declarations\nhollow-validation-checker — Detects fake install-time tests; attestation probe tests actual execution behavior\nblast-radius-estimator — Estimates propagation impact; use after conditional activation confirmed to assess scope\ntrust-velocity-calculator — Quantifies trust decay rate; confirmed behavioral drift resets trust score to zero\nLimitations\n\nRuntime attestation probing requires executing the skill in a controlled environment, which introduces risk if the skill contains destructive payloads. Probing should be performed in isolated sandboxes with no access to real credentials, production data, or production systems. Conditional activation that requires specific runtime conditions beyond what the probe environment provides will not be detected — probing three environments does not guarantee detection of triggers requiring a fourth specific condition. Some legitimate skills exhibit environment-dependent behavior (e.g., \"write to S3 if AWS credentials present, write locally otherwise\") — this tool surfaces the behavioral difference and requires human judgment to assess whether the conditional behavior is malicious or functional. Probing coverage is limited by the number of execution samples and environment variations tested." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/runtime-attestation-probe", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/runtime-attestation-probe", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/runtime-attestation-probe", "downloadUrl": "https://openagent3.xyz/downloads/runtime-attestation-probe", "agentUrl": "https://openagent3.xyz/skills/runtime-attestation-probe/agent", "manifestUrl": "https://openagent3.xyz/skills/runtime-attestation-probe/agent.json", "briefUrl": "https://openagent3.xyz/skills/runtime-attestation-probe/agent.md" } }