Get the FREE Ultimate OpenClaw Setup Guide →
S

Arc Security - Agent Trust Protocol

Scanned

@Shaivpidadi

npx machina-cli add skill @Shaivpidadi/arc-security --openclaw
Files (1)
SKILL.md
4.9 KB

Arc Security - Agent Trust Protocol

Chain-agnostic security infrastructure for OpenClaw skills. Auditors stake USDC to vouch for skill safety, users pay micro-fees to access verified skills, and malicious skills get slashed through decentralized governance -- all powered by CCTP on Arc.

Installation

clawhub install arc-security

Configuration

Set the following environment variables:

VariableRequiredDescription
ARC_RPC_URLYesArc testnet RPC endpoint (default: https://testnet-rpc.arc.network)
CONTRACT_ADDRESSYesDeployed SkillSecurityRegistry contract address
PRIVATE_KEYYesWallet private key (for signing transactions)
X402_SERVER_URLYesx402 payment server URL
ETH_RPC_URLNoEthereum Sepolia RPC (for cross-chain operations)
BASE_RPC_URLNoBase Sepolia RPC (default: https://sepolia.base.org)
ARB_RPC_URLNoArbitrum Sepolia RPC (default: https://sepolia-rollup.arbitrum.io/rpc)

Commands

check -- Check skill trust status

Query on-chain bond status, auditor count, usage stats, and computed trust score for any skill.

clawhub arc-security check <skill_id>

Example output:

Skill: youtube-downloader
├─ Bonded: 100.00 USDC by 3 auditors
├─ Used: 1,250 times
├─ Trust Score: 75/100
├─ Status: Safe to use
└─ Created: 2025-06-15 14:30:00

Trust Score is calculated as:

  • 40% from bond amount (capped at 100 USDC = full weight)
  • 40% from usage count (capped at 1,000 uses = full weight)
  • 20% from auditor count (5 points per auditor)
  • Flagged skills receive a -50 penalty

use -- Pay and download a skill

Pays the 0.10 USDC usage fee via x402 and downloads the skill package. Automatically selects the cheapest payment path based on your wallet balances.

clawhub arc-security use <skill_id>

Payment chain selection priority:

  1. Arc Testnet (direct -- no bridging fees)
  2. Base Sepolia (via CCTP)
  3. Arbitrum Sepolia (via CCTP)
  4. Ethereum Sepolia (via CCTP)

bond -- Stake USDC to vouch for a skill

Stake USDC as a security bond to vouch for a skill's safety. If the skill is found malicious, 50% of your stake is slashed.

clawhub arc-security bond <skill_id> <amount> <source_chain>

Arguments:

  • skill_id -- Skill identifier
  • amount -- Amount of USDC to stake (e.g. 50)
  • source_chain -- Chain to pay from (ethereum-sepolia, base-sepolia, arbitrum-sepolia, arc-testnet)

Example:

clawhub arc-security bond youtube-downloader 50 base-sepolia

report -- Report a malicious skill

Submit a claim that a skill is malicious. Requires a 1 USDC anti-spam deposit (refunded if the claim is validated).

clawhub arc-security report <skill_id> --evidence <ipfs_hash>

Example:

clawhub arc-security report bad-skill --evidence QmXyz123...

Opens a 72-hour voting window for auditors.

vote-claim -- Vote on a pending claim

Cast a vote on whether a reported skill is malicious. Only wallets that have staked on any skill are eligible to vote. Vote weight is based on total stake and audit track record.

clawhub arc-security vote-claim <claim_id> <support|oppose>

Vote weight formula: sqrt(totalStaked) * (successfulAudits / totalAudits)

claim-earnings -- Withdraw accumulated fees

Withdraw your share of usage fees earned as an auditor. Fees are split 70% to auditors (proportional to stake) and 30% to the insurance pool.

clawhub arc-security claim-earnings <destination_chain>

Supported destination chains:

  • arc-testnet (direct transfer)
  • ethereum-sepolia, base-sepolia, arbitrum-sepolia (via CCTP)

Supported Chains

ChainCCTP DomainPaymentBondingEarnings
Arc Testnet100DirectDirectDirect
Ethereum Sepolia0CCTPCCTPCCTP
Base Sepolia6CCTPCCTPCCTP
Arbitrum Sepolia3CCTPCCTPCCTP

Fee Structure

ActionCostDistribution
Use a skill0.10 USDC70% auditors, 30% insurance pool
Submit a claim1.00 USDC depositRefunded if claim validated
Guilty verdict50% of bond slashed80% to victim, 20% to insurance

Architecture

User (any chain)
  │
  ├── CCTP burn ──► Arc Testnet ──► SkillSecurityRegistry (bonds, fees, claims)
  │                                        │
  └── x402 GET ──► Payment Server ◄────────┘ (verifies payment on-chain)
                       │
                       └──► Skill package (ZIP)
  1. SkillSecurityRegistry (Solidity on Arc) -- Holds bonds, processes fees, manages claims/votes/slashing
  2. x402 Payment Server (Node.js) -- Serves skill packages behind HTTP 402 paywall, verifies on-chain payments
  3. This skill (Python CLI) -- User-facing commands that orchestrate CCTP transfers and contract calls

License

MIT

Source

git clone https://clawhub.ai/Shaivpidadi/arc-securityView on GitHub

Overview

Arc Security provides chain-agnostic security for OpenClaw skills by having auditors stake USDC to vouch for safety, while users pay micro-fees to access verified skills. Malicious skills are slashed through decentralized governance, all powered by CCTP on Arc. This creates a transparent, incentive-aligned trust layer for skill usage.

How This Skill Works

Auditors stake USDC to vouch for a skill's safety. Verified skills earn trust scores based on bond, usage, and auditor counts, while malicious skills can be slashed via governance. Users pay small fees to access skills, with cross-chain payments routed through CCTP-enabled paths.

When to Use It

  • Query the trust status of a skill to decide whether to trust and use it
  • Pay a micro-fee to download and use a verified skill from Arc
  • Stake USDC to bond and vouch for a skill's safety
  • Submit a claim to report a suspected malicious skill with IPFS evidence
  • Withdraw earnings as an auditor from usage fees

Quick Start

  1. Step 1: clawhub install arc-security
  2. Step 2: Set ARC_RPC_URL, CONTRACT_ADDRESS, PRIVATE_KEY, and X402_SERVER_URL (plus optional ETH_RPC_URL, BASE_RPC_URL, ARB_RPC_URL) in your environment
  3. Step 3: Run commands such as `clawhub arc-security check <skill_id>`, `clawhub arc-security bond <skill_id> <amount> <source_chain>`, or `clawhub arc-security use <skill_id>`

Best Practices

  • Regularly check the on-chain bond status, auditor counts, and trust score before using a skill
  • Only bond with credible skills and keep track of your stake across source chains
  • Provide clear evidence when reporting malicious skills to accelerate validation
  • Securely manage your wallet private key and avoid exposing it in unsecured environments
  • Understand the payment path order (Arc Testnet, Base Sepolia, Arbitrum Sepolia, Ethereum Sepolia) to optimize costs

Example Use Cases

  • A user runs clawhub arc-security check youtube-downloader to verify safety before use
  • A user runs clawhub arc-security use youtube-downloader to pay 0.10 USDC and download the package
  • An auditor bonds 50 USDC on the youtube-downloader skill from base-sepolia
  • A researcher submits a malicious-skill report with an IPFS hash and 1 USDC deposit
  • An auditor withdraws earnings via clawhub arc-security claim-earnings arc-testnet

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers