What is on-chain provenance in this skill?

It is an immutable record of skill registration, audits, and community vouches stored on Solana, enabling trust-based decisions before installation.

Do I need IQ tokens to audit a skill?

Yes. Auditing a skill via auditSkill is IQ-token-gated and requires the signer to hold IQ tokens.

How do I verify a local skill matches the on-chain version?

Compute the normalized hash with hashSkill(content) to get fullHash/shortHash and compare against the on-chain hash from the registry; use checkSkill to view registered data and history.

On-Chain Skill Audit

Scanned

@Emanz1

npx machina-cli add skill @Emanz1/onchain-skill-audit --openclaw

Files (1)

SKILL.md

3.1 KB

Skill Audit — On-Chain Provenance Registry

Commands

/check-skill <name>

Look up on-chain provenance for a skill before installing.

Read all three tables (registry, audits, vouches) for the given skill ID
Compute trust level from audit verdicts
Display: trust badge, author, hash, version, audit history, vouch count

/audit-skill <name> <severity>

Submit an audit verdict (requires IQ tokens in wallet). Severities: S (secure), L (low), M (medium), H (high), C (critical) Optionally run ZeroLeaks first and inscribe full report via codeIn.

/vouch-skill <name> [score]

Community endorsement. Score 1-5 (default 5).

/register-skill <path>

Read skill.md at given path
Normalize and SHA-256 hash the content
Write registration row with short hash (first 8 hex chars)

Trust Badges

MALICIOUS: BLOCK installation, warn user
FLAGGED: Strong warning
CAUTIONED: Mild warning
VERIFIED: Green checkmark
AUDITED: Has audits but not yet verified secure
REGISTERED: In registry, no audits yet
UNKNOWN: Not in registry — warn "no on-chain provenance"
Hash mismatch: Warn "content differs from registered version"

Implementation

Package: @rocketlabs/skill-audit

const { checkSkill, registerSkill, auditSkill, vouchForSkill, hashSkill } = require('@rocketlabs/skill-audit');

checkSkill({ connection, skillId, rpcUrl })

Returns: { trustLevel, skill, audits, vouches, summary } Free (RPC read only, no SOL needed).

registerSkill({ connection, signer, skillId, author, shortHash, version, codeInTx, rpcUrl })

Writes to skill_registry table. Public — anyone can register.

auditSkill({ connection, signer, skillId, auditor, severity, categories, codeInTx, rpcUrl })

Writes to skill_audits table. IQ-token-gated — signer must hold IQ tokens. Severity: S/L/M/H/C. Categories: dir,enc,per,soc,tec,cre,mny,cot,pol,asc,ctx,sem,too,sir,ech

vouchForSkill({ connection, signer, skillId, voucher, score, rpcUrl })

Writes to skill_vouches table. Public — anyone can vouch. Score 1-5.

hashSkill(content)

Returns: { fullHash, shortHash } — SHA-256 of normalized content.

On-Chain Architecture

Program: 9KLLchQVJpGkw4jPuUmnvqESdR7mtNCYr3qS4iQLabs
DB Root ID: skill-audit
Tables: skill_registry (public), skill_audits (IQ-gated), skill_vouches (public)
Row limit: ~100 bytes. Full data via codeIn inscriptions.
Reads are free. Only writes cost SOL.
Append-only. No in-place updates. Version counter for re-registration.

Prerequisites

@iqlabs-official/solana-sdk v0.1.1+ (CommonJS required)
@solana/web3.js v1.x
Solana wallet for writes
IQ tokens for audit writes (token mint: 3uXACfojUrya7VH51jVC1DCHq3uzK4A7g469Q954LABS)
Buffer monkey-patch applied (handled automatically by the package)

Source

git clone https://clawhub.ai/Emanz1/onchain-skill-auditView on GitHub

Overview

Skill Audit provides an on-chain provenance registry for agent skills on Solana. It enables checking, registering, auditing, and vouching for skills to establish safety and provenance before installation. The system uses public tables (skill_registry, skill_audits, skill_vouches) and hash-based identity to prove provenance.

How This Skill Works

Users compute a normalized SHA-256 hash of skill content (hashSkill). Skills can be registered to the public registry (registerSkill), making an immutable on-chain record in skill_registry. Audits are IQ-token-gated (auditSkill) and contribute to trust levels, while community endorsements (vouchForSkill) provide additional validation. Reads are free, writes cost SOL, and the architecture is append-only with a version counter for re-registration.

When to Use It

Before installing a skill, to verify on-chain provenance via checkSkill.
When evaluating a new or updated skill for safety and trustworthiness.
When registering a local skill to establish its on-chain provenance.
When soliciting community audits or endorsements to bolster trust.
To verify that a local skill matches the on-chain registered version using hashSkill.

Quick Start

Step 1: Install and connect: npm i @rocketlabs/skill-audit; set up connection, signer, and rpcUrl.
Step 2: Compute hash: use hashSkill(content) to get fullHash and shortHash; prepare registerSkill parameters.
Step 3: Check provenance: call checkSkill({ connection, skillId, rpcUrl }) to view trust, audits, and vouches; proceed to register, audit, or vouch as needed.

Best Practices

Always read the registry, audits, and vouches tables for the target skill ID before installation.
Normalize skill content and compare the on-chain shortHash/fullHash with your local version using hashSkill.
If auditing, ensure the signer holds IQ tokens as required by auditSkill.
Use the trust level and audit history to decide whether to install or request more reviews.
Remember the system is append-only; expect version counters on re-registration and plan updates accordingly.

Example Use Cases

A security engineer checks a skill’s on-chain provenance with checkSkill before deployment.
A developer registers a new local skill by computing its hash and calling registerSkill.
An auditor submits a severity verdict (S/L/M/H/C) for a skill via auditSkill.
Community members vouch for a skill, adding a score through vouchForSkill.
An operator reviews the trust badge and audit history to confirm safe installation.

Frequently Asked Questions

Add this skill to your agents