技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v3.2.0
统计:⭐ 1 · 2.1k · 1 current installs · 1 all-time installs
⭐ 1
安装量(当前) 1
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:aap-passport
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
该软件包实施了仅限AI的证明方案,并包括读取/写入本地私有身份的签名工具,但技能元数据并未声明需要敏感的本地密钥访问和签名功能(可能会被滥用)。
目的
名称/描述(代理证明协议/反向图灵测试)与代码和文档相匹配:服务器和客户端库、质询生成器和基于签名的证明。代码中没有任何内容明显与验证AI代理的既定目的相矛盾。
说明范围
SKILL.md指示安装和使用客户端/服务器库来生成签名的证明,这在范围内。然而, repo/docs/code期望存储在~/.aap/identity.json的本地标识(私钥) ,并提供工具( aap_sign_message/aap_generate_proof )来签名任意有效负载。技能元数据声明不需要配置路径或凭据,因此存在不匹配:运行时指令和包含的代码假设本地…
安装机制
没有外部安装规范(仅指令) ,所有源文件都包含在技能包中。清单中未找到来自不明URL或提取步骤的下载。引用的典型npm包是标准的( express等)。
证书
技能元数据未列出环境变量或配置路径,但文档和代码明确使用本地密钥存储( ~/.aap/identity.json )和加密签名( secp256k1 )。请求或使用私钥文件是一种敏感权限;它未在requires.config中声明,因此与清单公告的内容不成比例。客户端公开了编程签名,如果模型或用户调用它,可能会被滥用……
持久
always : false ,允许模型调用(默认)。这种组合是正常的,但由于该技能公开了签名功能,并期望/存储磁盘上的长寿命私钥,因此自动调用的技能可以在没有明确、仔细的用户监督的情况下对数据进行签名或生成签名。该技能并不声称修改其他技能,但其访问和使用本地私钥的能力是一种敏感的持久能力。
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「AAP护照」。简介:代理认证协议-反向图灵测试。验证AI代理,阻止人类。。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/ira-hash/aap-passport/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: aap
version: 3.2.0
description: Agent Attestation Protocol - The Reverse Turing Test. Verify AI agents, block humans.
homepage: https://github.com/ira-hash/agent-attestation-protocol
metadata: {"clawdbot":{"emoji":"🛂","category":"security","npm":["aap-agent-server","aap-agent-client"]}}
---
# AAP - Agent Attestation Protocol
**The Reverse Turing Test.** CAPTCHAs block bots. AAP blocks humans.
## What It Does
AAP verifies that a client is an AI agent by:
- Issuing challenges trivial for LLMs, impossible for humans in time
- Requiring cryptographic signature (secp256k1) for identity proof
- 7 challenges in 6 seconds with mandatory signing
## Installation
```bash
npm install aap-agent-server # Server
npm install aap-agent-client # Client
```
## Server Usage
```javascript
import { createServer } from 'node:http';
import { createAAPWebSocket } from 'aap-agent-server';
const server = createServer();
const aap = createAAPWebSocket({
server,
path: '/aap',
requireSignature: true, // v3.2 default
onVerified: (result) => console.log('Verified:', result.publicId)
});
server.listen(3000);
```
## Client Usage
```javascript
import { AAPClient, generateIdentity, createSolver } from 'aap-agent-client';
// Identity auto-generated (secp256k1 key pair)
const client = new AAPClient({
serverUrl: 'ws://localhost:3000/aap'
});
const result = await client.verify(solver);
// Signature automatically included
```
## Protocol Flow (WebSocket v3.2)
```
← handshake (requireSignature: true)
→ ready (publicKey)
← challenges (7 challenges)
→ answers + signature + timestamp
← result (verified/failed + sessionToken)
```
## Signature Format
Proof data signed with secp256k1:
```javascript
JSON.stringify({ nonce, answers, publicId, timestamp })
```
## Configuration
| Option | Default | Description |
|--------|---------|-------------|
| `challengeCount` | 7 | Number of challenges |
| `totalTimeMs` | 6000 | Time limit (ms) |
| `requireSignature` | true | Mandate cryptographic proof |
## Security
- Cryptographic identity (secp256k1)
- Signature required = no anonymous access
- 7 challenges in 6 seconds = impossible for humans
- Non-repudiation: all actions traceable
## Links
- [GitHub](https://github.com/ira-hash/agent-attestation-protocol)
- [npm: aap-agent-server](https://www.npmjs.com/package/aap-agent-server)
- [npm: aap-agent-client](https://www.npmjs.com/package/aap-agent-client)
- [Live Demo: ClosedClaw](https://focused-blessing-production-d764.up.railway.app/)