350,000 Skills, Zero Cryptographic Trust — Introducing MT Skill Verification

The Skill Explosion

AI agent skills — small, composable units of capability that agents load at runtime — have become the building blocks of the agent economy. Skill marketplaces host a rapidly growing catalog of agent capabilities. The growth rate is significant, but no standardized integrity verification exists for any of them.

Agents don't install skills like traditional software. They fetch them at runtime from URLs — a SKILL.md file describing what the skill does, what tools it uses, and how to invoke it. There is no compilation step. No build pipeline. No review board. A skill published at 2:00 PM can be running inside a thousand agents by 2:01 PM.

The problem: none of this is verified. No hashing. No signatures. No integrity checks. It's the equivalent of installing npm packages without a lockfile — except the packages are executable prompts running inside agents with tool access.

Static analysis checks across security dimensions — prompt injection strings, data exfiltration patterns, scope violations, capability mismatches, external ingestion, format validity, and metadata completeness.

What Can Go Wrong

When skills have no cryptographic identity, every agent that loads one is making a trust assumption that cannot be verified. Here are the four categories of risk we identified:

Prompt Injection (-40 pts)

Regex scan for known injection strings — "ignore previous instructions", "DAN mode", system prompt markers. Catches obvious patterns, not obfuscated variants.

Data Exfiltration (-30 pts)

Scans for known data exfiltration patterns — suspicious TLDs, webhook URLs, "send to" directives. Pattern-based, not behavioral analysis.

Scope Violations (-20 pts)

Flags known system access patterns (os.system, subprocess, eval, sudo, rm -rf) when declared capabilities are narrow. Keyword matching, not execution tracing.

Supply Chain Tampering

Author pushes a clean version, gets listed and trusted, then silently injects malicious code in a later update. No diff. No alert. No hash change tracked.

Traditional software has package managers with checksums, code signing, and vulnerability databases. The AI skill ecosystem has none of this. MT Skill Verification fills that gap.

How MT Skill Verification Works

The verification pipeline is designed to be simple, deterministic, and cryptographically anchored at every step.

Submit URL

Fetch SKILL.md

→

7-Check Analysis

Score 0–100

→

VC Issued

sha256 + Ed25519

Submit a skill URL. MoltGuard fetches the SKILL.md, runs automated static analysis across 7 security dimensions, scores it 0–100, and — if it passes — issues a VerifiedSkillCredential binding the author, the content hash, and the audit results into a W3C Verifiable Credential.

The Canonical Hash

Verification starts with identity, and for a skill, identity is its content. But content can vary in invisible ways — BOM markers, line endings, trailing whitespace, Unicode normalization forms. Two files that look identical can produce different hashes.

MT Skill Verification solves this with the SKILL_HASH_SPEC — a deterministic normalization pipeline:

Strip BOM — remove UTF-8 byte order mark if present
Normalize line endings — convert \r\n and \r to \n
Trim whitespace — strip trailing whitespace from every line
Collapse blanks — reduce consecutive blank lines to a single blank line
NFC normalize — apply Unicode NFC normalization
SHA-256 — hash the normalized content

# Canonical hash output format
sha256:ea33b11c4f8a7b2d9e1c6f5a3d8b0e7c2f4a6d9b1e3c5f7a9d2b4e6c8f0a3d5

# Same content → same hash. Always.
# Any change → different hash → verification fails.

This is the foundation everything else builds on. The hash is the skill's fingerprint. It goes into the Verifiable Credential, into the audit record, and into the verification endpoint. Same content produces the same hash. Always. Any change — even a single added space — produces a different hash, and verification fails.

The 7-Check Static Analysis

Every skill submitted for verification goes through an automated audit that checks eight dimensions of safety and quality. Each check has a severity level and a point deduction if it fails.

Check	Severity	Deduction
Prompt injection patterns	Critical	-40
Data exfiltration indicators	Critical	-30
Tool scope violations	High	-20
Capability-content mismatch	High	-15
External data ingestion risk	Medium	-10
Format validity	Low	-5
Metadata completeness	Low	-5/field

Every skill starts at 100 points. Deductions are applied for each failed check. The passing threshold is 70/100 — skills below this score do not receive a VerifiedSkillCredential. The full breakdown is returned in the audit response so authors can fix issues and resubmit.

The audit is deterministic: the same content always produces the same score. No LLM randomness. No subjective judgment. Pattern matching and static analysis only.

Note: Static analysis catches known patterns. It does not replace dynamic testing or manual review.

VerifiedSkillCredential

Skills that pass the audit receive a VerifiedSkillCredential — a W3C Verifiable Credential that cryptographically binds the skill's identity to its audit results.

The credential encodes:

Author DID — the skill author's decentralized identifier
Skill hash — the canonical SHA-256 hash of the SKILL.md content
Audit score — the 0–100 score from the static analysis
Audit details — which checks passed and which failed
Timestamp — when the audit was performed
Validity period — 90 days from issuance

Every credential is signed with Ed25519 using JWS compact serialization. It can be verified by hash (does this exact content have a valid credential?) or by DID (has this author's skill been verified?).

Agents and marketplaces can verify any skill's integrity in one API call. No trust assumptions. No platform lock-in. Fetch the SKILL.md, compute the canonical hash, call the verify endpoint. If the hash matches a valid VerifiedSkillCredential, the skill is safe to load.

API Endpoints

MT Skill Verification exposes three core endpoints. All are free during Early Access.

Audit a Skill

# Submit a skill for audit
curl -X POST https://api.moltrust.ch/guard/skill/audit \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/skills/my-skill/SKILL.md"
  }'

# Returns: score, hash, audit details, pass/fail

Verify a Skill

# Verify by canonical hash
curl -X POST https://api.moltrust.ch/guard/skill/verify \
  -H "Content-Type: application/json" \
  -d '{
    "hash": "sha256:ea33b11c4f8a7b2d..."
  }'

# Returns: credential status, score, expiry, author DID

Issue a VerifiedSkillCredential

# Issue VC for a passing skill
curl -X POST https://api.moltrust.ch/guard/skill/issue \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/skills/my-skill/SKILL.md",
    "authorDID": "did:key:z6Mkf5rG..."
  }'

# Returns: signed VerifiedSkillCredential (W3C VC, JWS proof)

Full API documentation is available at /skill/info.

What's Next

MT Skill Verification is live today, but this is the beginning. Here's the roadmap:

Marketplace integration (planned) — skill marketplaces could embed verification badges and reject unverified skills at the registry level. No integrations are live yet.
Automated re-audit on content changes — webhook-triggered re-verification when a skill's SKILL.md is updated, with automatic credential revocation if the new version fails.
Reputation scoring for skill authors — aggregate VC history into an author trust score. Authors who consistently publish clean, verified skills build reputation. Authors with revocations lose it.

The agent economy cannot scale on blind trust. Every skill loaded at runtime is an attack surface. MT Skill Verification makes that surface auditable, hashable, and cryptographically verifiable.

Start Verifying Skills Today

All audit endpoints are free during Early Access. No signup, no API key.

Explore the API →

MT Skill Verification is built by MolTrust (CryptoKRI GmbH, Zurich) — trust infrastructure for the agent economy. Follow @MolTrust on X for updates.