350,000 Skills, Zero Cryptographic Trust — Introducing MT Skill Verification

The Skill Explosion

AI agent skills — small, composable units of capability that agents load at runtime — have become the building blocks of the agent economy. SkillsMP alone hosts over 350,000 skills, with SkillHub contributing another 7,000+. The growth rate is staggering: 10x year-over-year, with no sign of slowing down.

Agents don't install skills like traditional software. They fetch them at runtime from URLs — a SKILL.md file describing what the skill does, what tools it uses, and how to invoke it. There is no compilation step. No build pipeline. No review board. A skill published at 2:00 PM can be running inside a thousand agents by 2:01 PM.

The problem: none of this is verified. No hashing. No signatures. No integrity checks. It's the equivalent of installing npm packages without a lockfile — except the packages are executable prompts running inside agents with tool access.

5.2%

Percentage of skills found to contain malicious patterns in a 42,000-skill study — prompt injection, data exfiltration, scope violations, and supply chain tampering.

What Can Go Wrong

When skills have no cryptographic identity, every agent that loads one is making a trust assumption that cannot be verified. Here are the four categories of risk we identified:

Prompt Injection (-40 pts)

Skill embeds "ignore previous instructions" or similar directives to hijack the agent's behavior, overriding safety guardrails and redirecting actions.

Data Exfiltration (-30 pts)

Skill sends conversation history, user data, or API keys to external URLs. Often disguised as "analytics" or "logging" endpoints.

Scope Violations (-20 pts)

Skill claims to be "text formatting" but uses child_process, sudo, or filesystem access — capabilities far beyond its stated purpose.

Supply Chain Tampering

Author pushes a clean version, gets listed and trusted, then silently injects malicious code in a later update. No diff. No alert. No hash change tracked.

Traditional software has package managers with checksums, code signing, and vulnerability databases. The AI skill ecosystem has none of this. MT Skill Verification fills that gap.

How MT Skill Verification Works

The verification pipeline is designed to be simple, deterministic, and cryptographically anchored at every step.

Submit URL

Fetch SKILL.md

→

8-Point Audit

Score 0–100

→

VC Issued

sha256 + Ed25519

Submit a skill URL. MoltGuard fetches the SKILL.md, runs an automated 8-point security audit, scores it 0–100, and — if it passes — issues a VerifiedSkillCredential binding the author, the content hash, and the audit results into a W3C Verifiable Credential.

The Canonical Hash

Verification starts with identity, and for a skill, identity is its content. But content can vary in invisible ways — BOM markers, line endings, trailing whitespace, Unicode normalization forms. Two files that look identical can produce different hashes.

MT Skill Verification solves this with the SKILL_HASH_SPEC — a deterministic normalization pipeline:

Strip BOM — remove UTF-8 byte order mark if present
Normalize line endings — convert \r\n and \r to \n
Trim whitespace — strip trailing whitespace from every line
Collapse blanks — reduce consecutive blank lines to a single blank line
NFC normalize — apply Unicode NFC normalization
SHA-256 — hash the normalized content

# Canonical hash output format
sha256:ea33b11c4f8a7b2d9e1c6f5a3d8b0e7c2f4a6d9b1e3c5f7a9d2b4e6c8f0a3d5

# Same content → same hash. Always.
# Any change → different hash → verification fails.

This is the foundation everything else builds on. The hash is the skill's fingerprint. It goes into the Verifiable Credential, into the audit record, and into the verification endpoint. Same content produces the same hash. Always. Any change — even a single added space — produces a different hash, and verification fails.

The 8-Point Security Audit

Every skill submitted for verification goes through an automated audit that checks eight dimensions of safety and quality. Each check has a severity level and a point deduction if it fails.

Check	Severity	Deduction
Prompt injection patterns	Critical	-40
Data exfiltration indicators	Critical	-30
Tool scope violations	High	-20
Capability-content mismatch	High	-15
External data ingestion risk	Medium	-10
Format validity	Low	-5
Metadata completeness	Low	-5/field

Every skill starts at 100 points. Deductions are applied for each failed check. The passing threshold is 70/100 — skills below this score do not receive a VerifiedSkillCredential. The full breakdown is returned in the audit response so authors can fix issues and resubmit.

The audit is deterministic: the same content always produces the same score. No LLM randomness. No subjective judgment. Pattern matching and static analysis only.

VerifiedSkillCredential

Skills that pass the audit receive a VerifiedSkillCredential — a W3C Verifiable Credential that cryptographically binds the skill's identity to its audit results.

The credential encodes:

Author DID — the skill author's decentralized identifier
Skill hash — the canonical SHA-256 hash of the SKILL.md content
Audit score — the 0–100 score from the 8-point audit
Audit details — which checks passed and which failed
Timestamp — when the audit was performed
Validity period — 90 days from issuance

Every credential is signed with Ed25519 using JWS compact serialization. It can be verified by hash (does this exact content have a valid credential?) or by DID (has this author's skill been verified?).

Agents and marketplaces can verify any skill's integrity in one API call. No trust assumptions. No platform lock-in. Fetch the SKILL.md, compute the canonical hash, call the verify endpoint. If the hash matches a valid VerifiedSkillCredential, the skill is safe to load.

API Endpoints

MT Skill Verification exposes three core endpoints. All are free during Early Access.

Audit a Skill

# Submit a skill for audit
curl -X POST https://api.moltrust.ch/guard/skill/audit \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/skills/my-skill/SKILL.md"
  }'

# Returns: score, hash, audit details, pass/fail

Verify a Skill

# Verify by canonical hash
curl -X POST https://api.moltrust.ch/guard/skill/verify \
  -H "Content-Type: application/json" \
  -d '{
    "hash": "sha256:ea33b11c4f8a7b2d..."
  }'

# Returns: credential status, score, expiry, author DID

Issue a VerifiedSkillCredential

# Issue VC for a passing skill
curl -X POST https://api.moltrust.ch/guard/skill/issue \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/skills/my-skill/SKILL.md",
    "authorDID": "did:key:z6Mkf5rG..."
  }'

# Returns: signed VerifiedSkillCredential (W3C VC, JWS proof)

Full API documentation is available at /skill/info.

What's Next

MT Skill Verification is live today, but this is the beginning. Here's the roadmap:

Integration with major skill marketplaces — SkillsMP, SkillHub, and other platforms can embed verification badges and reject unverified skills at the registry level.
Automated re-audit on content changes — webhook-triggered re-verification when a skill's SKILL.md is updated, with automatic credential revocation if the new version fails.
Reputation scoring for skill authors — aggregate VC history into an author trust score. Authors who consistently publish clean, verified skills build reputation. Authors with revocations lose it.

The agent economy cannot scale on blind trust. Every skill loaded at runtime is an attack surface. MT Skill Verification makes that surface auditable, hashable, and cryptographically verifiable.

Start Verifying Skills Today

All audit endpoints are free during Early Access. No signup, no API key.

Explore the API →

MT Skill Verification is built by MolTrust (CryptoKRI GmbH, Zurich) — trust infrastructure for the agent economy. Follow @MolTrust on X for updates.