Secure Skills for OpenClaw
Discover, publish, and install verified AI skills with cryptographic signatures, automated security scanning, and transparent permission models.
$ skillport install data-pipeline@1.2.0
✓ Checksums verified
✓ Author signature valid (key: a3f2...8d1c)
✓ Platform signature valid
✓ Security scan passed (risk: 3/100)
Permissions: Network(none) | FS(read: ./data) | Exec(none)
Installed to ~/.openclaw/skills/acme/data-pipeline/
Security at Every Step
From export to install, SkillPort enforces a fail-closed security model. No shortcuts, no compromises.
Cryptographic Security
Every package is signed with Ed25519. Author signatures verified on upload, platform signatures added after scanning. Checksums validated on install.
Automated Security Scanning
5 detection engines scan for secrets, malware, PII, obfuscation, and unauthorized network access. Shannon entropy analysis catches unknown secrets.
Transparent Permissions
Every skill declares its network, filesystem, execution, and integration permissions. Users see exactly what a skill can access before installing.
CLI-First Workflow
Export, scan, sign, verify, install, and publish — all from a single `skillport` command. Designed for developers and AI agents alike.
AI Agent API (MCP)
AI assistants can search, evaluate, and install skills programmatically through our MCP server. Built for the agentic era.
Risk Scoring
Every skill gets a 0-100 risk score based on severity-weighted findings. Danger flags are prominently displayed so users can make informed decisions.
How It Works
Three components, one secure pipeline. From author to user, every step is verified.
Export
SkillPort Exporter
Package your skill with security scanning, secret detection, and automatic manifest generation. Sign it with your Ed25519 key.
Publish
SkillPort Market
Upload your signed package. Our platform runs an independent security scan and adds a platform signature for double verification.
Install
SkillPort Installer
Users verify both signatures, review permissions and danger flags, and run a local re-scan before installing. Full transparency.
Popular Skills
Verified, scanned, and ready to install.
Data Pipeline Builder
by acme-tools
Automated ETL pipeline generator for common data sources
Git Summary Reporter
by devflow
Generate beautiful summaries of recent git activity
Slack Notifier
by notifyhq
Send formatted notifications to Slack channels
Code Reviewer AI
by ai-assist
AI-powered code review with security focus
Config Manager
by sysops
Manage and sync configuration across environments
Doc Generator
by docflow
Auto-generate API documentation from TypeScript source
One CLI, Full Control
The skillport CLI handles the entire lifecycle. Export skills securely, scan for vulnerabilities, sign with your keys, and install with confidence.
skillport initGenerate signing key pairskillport export ./skill -o out.sspPackage with scan + signskillport scan ./skillRun security analysisskillport install skill@1.0.0Verify + scan + installskillport dry-run out.sspPre-flight diagnostics$ skillport scan ./my-skill
Scanning directory: ./my-skill
SCAN PASSED
Risk Score: 5/100 | Scanned: 8 files | Issues: 2
Issues by severity:
medium: 1
low: 1
Details:
[MEDIUM] External HTTP request via fetch()
scripts/sync.ts:12 (NET001)
Fix: Declare the domain in permissions.network.domains
[LOW] HTTP client library usage detected
scripts/sync.ts:1 (NET005)
Ready to Ship Secure Skills?
Install the CLI, generate your keys, and publish your first skill to SkillPort Market in minutes.