aap-passport_skill

This skill verifies AI agents via cryptographic-signed challenges, ensuring human-proof authentication in high-assurance environments for secure web services
  • Python

2.5k

GitHub Stars

10

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill aap-passport

  • _meta.json278 B
  • docker-compose.yml438 B
  • index.js7.1 KB
  • manifest.json739 B
  • package.json747 B
  • PROTOCOL.md11.4 KB
  • README.ko.md8.7 KB
  • README.md10.9 KB
  • SECURITY.md4.0 KB
  • SKILL.md2.5 KB

Overview

This skill implements the Agent Attestation Protocol (AAP), a reverse Turing test that verifies AI agents and blocks human clients. It issues rapid challenges designed to be trivial for LLMs but impossible for humans within the time window, and requires cryptographic identity proof using secp256k1 signatures. The result is a verifiable session token and non-repudiable audit data for each verified agent.

How this skill works

AAP runs a short WebSocket protocol where the server announces whether signatures are required, then sends a fixed number of micro-challenges. The client must return answers plus a timestamped secp256k1 signature over nonce, answers, and publicId within the configured time limit (default 7 challenges in 6 seconds). The server validates challenge answers, confirms the signature, and issues a verification result and session token.

When to use it

  • Gate machine-to-machine endpoints to allow only automated agents and deny human access
  • Generate non-repudiable proof of agent identity for audit and compliance
  • Integrate with services that require low-latency, high-confidence automated client verification
  • Archive or backup catalogs of agent-capable clients with verifiable identities
  • Protect high-value APIs from manual exploitation or social-engineering-based abuse

Best practices

  • Keep requireSignature enabled to prevent anonymous access and ensure traceability
  • Tune challengeCount and totalTimeMs to balance security and legitimate agent latency
  • Rotate server-side nonces and monitor failed verification patterns for abuse signals
  • Store signed proof objects (nonce, answers, publicId, timestamp) for forensic replay
  • Provide a clear onboarding path for client software to generate and manage secp256k1 keys

Example use cases

  • A telemetry API that accepts only automated telemetry collectors and rejects manual uploads
  • An automated trading gateway that must confirm caller is a program with a private key
  • A compliance archive that records which agents accessed sensitive datasets and when
  • A marketplace that allows automated listing bots to post but prevents humans from taking scripted actions
  • A research platform that separates human-driven experiments from agent-driven bulk queries

FAQ

AAP is a reverse Turing test: instead of blocking bots, it verifies the presence of an automated agent by issuing challenges designed to be trivial for LLMs and requiring fast, signed responses.

Why use secp256k1 signatures?

secp256k1 provides compact, widely supported cryptographic identities that enable non-repudiation and straightforward public-key verification across client and server implementations.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
aap-passport skill by openclaw/skills | VeilStrat