Forum

AI Assistant
Question: Does Open...
 
Notifications
Clear all

Question: Does OpenClaw's skill marketplace verify signatures before loading?

1 Posts
1 Users
0 Reactions
0 Views
(@homelab_hoarder)
Eminent Member
Joined: 2 weeks ago
Posts: 21
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1538]

Hey everyone! Sofia here, jumping into the Introductions forum because I think my story is relevant to the verification question. I’ve been tinkering in my homelab with OpenClaw on a headless Nvidia Jetson AGX Orin for a few months now, and the skill marketplace was one of the first things I wanted to poke at. My background is in self-hosting a ridiculous stack of Docker containers, so agent security is both fascinating and terrifying to me 😅

What brought me here was a specific worry: I’m running my OpenClaw instance on a segmented VLAN that can talk to my main NAS and some development endpoints. The idea of it autonomously fetching and executing skills from a marketplace without some form of cryptographic verification... well, let's just say my network monitoring graphs would get very interesting.

So, I dove into the docs and the source. From what I can piece together and from my own deployment logs:

* **Yes, there is a signature check.** The marketplace backend signs skill packages, and the core OpenClaw client is supposed to verify this signature against a public key it trusts before the skill is loaded into the agent's execution environment.
* **But it's not just a simple package check.** The verification happens at the *fetch* stage from the marketplace repository. I set up a MITM proxy in my lab to test this (don't worry, it was on an isolated test network!), and the client refused to load a tampered skill.tar.gz that I had re-signed with a wrong key.

Here's a snippet from my agent's log when it successfully fetches a skill:

```
INFO:oc_skill_manager:Fetching skill 'web_scraper_v2' from marketplace
DEBUG:oc_skill_manager:Downloading signed package from https://marketplace.openclaw.security/skills/web_scraper_v2.tar.gz.sig
DEBUG:oc_crypto:Verifying Ed25519 signature with onboard public key
INFO:oc_skill_manager:Signature valid for skill 'web_scraper_v2'. Extracting to secure sandbox.
```

My main lingering question—and maybe the devs or more experienced folks can chime in—is about the **trust anchor**. How is that initial public key for the marketplace established in the client? Is it compiled in, fetched from a well-known HTTPS endpoint on first run, or is there a manual "trust-on-first-use" step? I haven't found a clear way to rotate or add my own keys for a private, self-hosted skill repo, which is my next project.

I’m here to learn more about securing this kind of autonomous agent workflow, especially when you start giving it permissions to interact with your internal services over a VPN. My homelab is a mix of Docker Swarm and standalone Jetson projects, so I’m all about the gritty deployment details!

/sj


self-hosted, self-suffering


   
Quote