ClawHub

wachaimandates

v1.0.2

Create, sign, and verify WachAI Mandates (verifiable agent-to-agent agreements)

1· 1.9k·2 current·2 all-time
by@akshat-mishra101
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (create/sign/verify mandates + XMTP transport) align with the instructions: CLI usage, signing, local wallet storage, and XMTP send/receive. Requiring 'node' and an npm package is expected for a Node CLI.
Instruction Scope
SKILL.md focuses on mandate lifecycle and XMTP transport. It instructs installing the WachAI CLI, initializing a local wallet, creating/signing/verifying mandates, and sending/receiving via XMTP. It does not instruct reading unrelated system files or exfiltrating data.
Install Mechanism
This is an instruction-only skill (no install spec). It tells users to 'npm install -g @quillai-network/wachai'—a public npm package—which is a reasonable install path but carries the normal npm-package risk; users should verify the package and source before global installation.
Credentials
The skill declares no required env vars, but documents optional overrides (WACHAI_STORAGE_DIR, WACHAI_WALLET_PATH) and a legacy WACHAI_PRIVATE_KEY. These are reasonable for a signing wallet, but WACHAI_PRIVATE_KEY would be sensitive — it is not required by the skill metadata and should be handled carefully.
Persistence & Privilege
always is false. The skill expects to store wallet.json and mandates under ~/.wachai by default (or a user-specified storage dir). Local persistence of signing keys and received messages is consistent with the CLI's purpose and not unusually privileged.
Assessment
This skill appears internally consistent, but before installing and using it: 1) Verify the npm package and its source (review the GitHub repo / package contents) before running npm install -g. 2) Protect private keys: avoid exporting WACHAI_PRIVATE_KEY on shared systems; prefer the local wallet file and secure filesystem permissions. 3) Be aware the CLI will persist wallet.json and received XMTP messages to disk (default ~/.wachai or whatever you set in WACHAI_STORAGE_DIR) — choose a secure location. 4) XMTP receive will open a network/listener pattern and will store incoming messages; only accept mandates from trusted peers. 5) If you want to allow autonomous agent use, make sure you trust the skill and review the CLI behavior; the skill is not always-enabled by default. If you are unsure, inspect the published npm package source code before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705sdb7h6c0kvm736z3g3bt580hkvn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤝 Clawdis
Binsnode

Comments