Typed contract, not freeform prose
Every skill declares its intent, triggers, inputs and outputs, ordered steps, required permissions, and verification checks โ so the same package means the same thing to every agent and host.
Package a skill once as a sealed .skill, content-addressed, cryptographically signed, and independently verifiable before anyone runs it. Create, inspect, sign, and run portable .skill packages for AI agents, the integrity and provenance layer on top of your SKILL.md.
The Agent Skills ecosystem has three layers, and skillerr owns the third, complementary to the other two, not competing with either:
| Layer | Job | Who |
|---|---|---|
| Authoring | Defines the SKILL.md format itself | Agent Skills spec |
| Distribution | Installs a skill onto your machine | vercel-labs/skills, skills.sh |
| Trust / integrity | Seals, signs, records provenance, lets you inspect before you run | skillerr |
npx skills add owner/repo installs unverified instructions and executable scripts from any repo, with no integrity or provenance check. Distribution tools install a skill; skillerr lets you verify one, its integrity, issuer, and provenance, before you run it.
No telemetry, no tracking. skillerr makes no network calls unless you explicitly opt in (--transparency, --keyless, --online).
npm i -g skillerrNode โฅ 20. skillerr is the reference CLI (bin: skill).
Humans install once, then direct your agent:
npm i -g skillerr # reference CLI, bin: skillAgents start by reading their own instructions:
skill agent-guide # the exact create / inspect / handoff protocolSimplest โ just ask
npm i -g skillerr
Then tell your AI:
"Use skillerr to turn this conversation into a .skill I can reuse."Inspect before run
Inspect ./file.skill TrustView without executing. Validate, then dry-run.
Summarize trust warnings. Do not execute for real unless I ask.More starters: Getting started ยท Convert a SKILL.md ยท Evaluate & score ยท Agents ยท Workflows ยท Full CLI reference
A skill is only as trustworthy as your ability to verify it. .skill gives every skill a verifiable identity, provable authorship, and independently checkable provenance, the same guarantees the software supply chain now expects, applied to AI skills.
| Pillar | What it gives you |
|---|---|
| Identity | Content-addressed skill_id and SHA-256 package_digest/manifest_digest. Change one byte after sealing and the identity changes. |
| Authorship | A configured Ed25519 issuer key (verified_issuer), or an OIDC identity bound with Sigstore Fulcio keyless signing, both using the standard DSSE attestation envelope. |
| Provenance | The sealed digest anchored to the public Sigstore Rekor transparency log, verified offline against the log's signed tree head by default, with a search.sigstore.dev link so anyone can check independently. |
| Assurance | --claims splits every field into verified (crypto-checked) and self_reported (asserted), two separate arrays, never blurred together. |
No telemetry, no tracking. skillerr makes no network calls unless you explicitly opt in (--transparency, --keyless, --online).
Trust is explicit and layered, you choose how much you need, and verifiers can always tell which rung a package sits on:
skill keygen + --signer-key); verifiers who pin your key get cryptographic proof of authorship and integrity.--transparency, and/or Fulcio keyless OIDC via --keyless), independently verifiable by anyone without trusting the tool.Anchoring is orthogonal to trust state and always additive, an anchored package can still be development or self-reported trust. Inclusion is not endorsement: logging a package proves auditability, not goodness. A seal proves who issued a package and that it hasn't changed, never that the skill is correct or safe. See Trust & security.
The primitives that make a .skill verifiable are, by design, a foundation a future ownership layer could build on: on-chain provenance, programmable royalties for skill authors, decentralized skill marketplaces. This is deliberate architecture, not a promise of features.
ledger anchor kind alongside the shipped ones; no ledger-anchoring implementation exists yet, it's a tracked roadmap item, addable without breaking existing packages.What this is not, today: skillerr does not mint tokens, issue NFTs, or move value. "Minting" a .skill creates a cryptographic attestation, not a financial instrument. On-chain ownership is a roadmap extension point, not a shipped feature, and it will always be optional, never required to author, verify, or run a skill. Nothing here is investment advice or a claim of future value.
.skill โexample.skill
โโโ skill.json # manifest, digests, profile, completeness
โโโ workflow.json # runnable steps
โโโ knowledge/ # pinned decisions / rules
โโโ provenance/ # redacted journey + generation_usage
โโโ signatures/ # mint attestation (release)SKILL.md vs. sealed .skill โBare SKILL.md | Sealed .skill | |
|---|---|---|
| Structure | Freeform prose | Typed contract: intent, triggers, I/O, steps, permissions, verification |
| Integrity | None | Content-addressed id + SHA-256 digests; tamper-evident |
| Trust before run | None | Inspect seal, issuer, and verified-vs-self-reported claims without executing |
| Authorship | None | Development โ verified-issuer โ publicly anchored, your choice |
| Handoff | Copy the chat | Continuity package: typed, redacted, resumable |
| Surface | Role |
|---|---|
skillerr | Reference CLI |
@skillerr/protocol | SkillContract, schemas, types |
@skillerr/core | Compile, pack, validate, mint |
@skillerr/runtime | Inspect / dry-run / execute |
@skillerr/workspace | Local .skill/ working tree |
@skillerr/registry | Optional local transparency log |
Agent Skills specification (authoring format) ยท vercel-labs/skills (npx skills add, distribution) ยท skills.sh (directory) ยท Claude Code skills docs