Developer builds open-source tool to verify and sign AI skill packages
A developer has released Skillerr, an open-source CLI and protocol designed to add cryptographic verification to AI skill packages used by agents in tools like Claude, Cursor, and Codex. The project addresses a growing supply-chain concern: AI skills are typically plain Markdown files with no way to confirm their author, integrity, or whether they have been tampered with. Skillerr assigns each packaged skill a SHA-256 hash and structured contract detailing its permissions, inputs, and outputs, and rejects execution if any file has been altered after packaging. Authors can optionally sign their skills and anchor a package digest in Sigstore's public transparency log for independent verification. The tool is available on GitHub and the developer is actively inviting the community to test it for security vulnerabilities.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in