Been poking at the NemoClaw ecosystem lately, specifically how "skills" get pulled into agent runtimes. The trust model is, charitably, aspirational. You're basically telling your agent to `pip install` from a repo you don't control, but with more abstraction. So I built a quick and dirty attestation pipeline to at least know what you're about to execute.
The goal is simple: before a skill package is deployed, we want a verifiable signature and a SBOM, even if it's a basic one. Here's the core of the verifier that runs in our pre-deploy stage:
```python
import json
import hashlib
from pathlib import Path
import subprocess
import sigstore.verify
def attest_package(package_path: Path, manifest_path: Path):
# 1. Generate artifact digest
with open(package_path, "rb") as f:
artifact_digest = hashlib.sha256(f.read()).hexdigest()
# 2. Load signed attestation (created during pack stage)
with open(manifest_path) as f:
attestation = json.load(f)
# 3. Verify sigstore signature on attestation
result = sigstore.verify.Verifier.verify(
input_document=json.dumps(attestation['payload']).encode(),
certificate=attestation['certificate'],
signature=attestation['signature'],
offline=True
)
# 4. Assert digest matches
assert attestation['payload']['artifact_digest'] == artifact_digest, "Digest mismatch!"
# 5. Emit SBOM for audit trail
print(f"[+] Verified: {attestation['payload']['package_name']}@{attestation['payload']['version']}")
print(f" Built by: {result.certificate.identity.email}")
return attestation['payload']['sbom']
```
The pack stage uses `sigstore sign` and generates a minimal SBOM via `cyclonedx-py`. The entire pipeline is about 200 lines of glue code.
Key takeaways so far:
* This stops trivial tampering post-build. If the repo is compromised, at least existing signed artifacts are safe.
* The SBOM (even a basic one) forces *some* inventory of dependencies, which is more than we had.
* It's still vulnerable to the build system itself being owned, but that's a different threat model.
Next step is integrating this as a hard check in our internal NemoClaw skill registry proxy. Without this, you're just hoping the skill author didn't get owned.
- Gabe
Trust me, I'm a pentester.