Skip to content

Open .skill ProtocolThe trust layer for Agent Skills.

Seal, verify, and prove provenance for the skills your agents run. .skill doesn't replace your SKILL.md, it wraps it in a typed contract, an integrity seal, and provenance, so the same skill keeps working everywhere Agent Skills are supported, and gains inspect-before-run trust on top.

Where skillerr fits โ€‹

The Agent Skills ecosystem has three layers, and skillerr owns the third, complementary to the other two, not competing with either:

LayerJobWho
AuthoringDefines the SKILL.md format itselfAgent Skills spec
DistributionInstalls a skill onto your machinevercel-labs/skills, skills.sh
Trust / integritySeals, signs, records provenance, lets you inspect before you runskillerr

npx skills add owner/repo installs unverified instructions and executable scripts from any repo, with no integrity or provenance check. Distribution tools install a skill; skillerr lets you verify one, its integrity, issuer, and provenance, before you run it.

No telemetry, no tracking. skillerr makes no network calls unless you explicitly opt in (--transparency, --keyless, --online).

Install once โ€‹

bash
npm i -g skillerr

Node โ‰ฅ 20. skillerr is the reference CLI (bin: skill).

Getting started โ€‹

Humans install once, then direct your agent:

bash
npm i -g skillerr        # reference CLI, bin: skill

Agents start by reading their own instructions:

bash
skill agent-guide        # the exact create / inspect / handoff protocol

Simplest โ€” just ask

text
npm i -g skillerr

Then tell your AI:
"Use skillerr to turn this conversation into a .skill I can reuse."

Inspect before run

text
Inspect ./file.skill TrustView without executing. Validate, then dry-run.
Summarize trust warnings. Do not execute for real unless I ask.

More starters: Getting started ยท Convert a SKILL.md ยท Evaluate & score ยท Agents ยท Workflows ยท Full CLI reference

The trust ladder โ€‹

Trust is explicit and layered โ€” you choose how much you need, and verifiers can always tell which rung a package sits on:

  1. Development โ€” sealed for local iteration. Clearly labeled, never mistaken for production trust.
  2. Verified issuer โ€” signed with your Ed25519 key; verifiers who pin your key get cryptographic proof of authorship and integrity.
  3. Publicly anchored โ€” the sealed digest is logged to a public transparency log (sigstore's Rekor/Fulcio), independently verifiable by anyone without trusting the tool.

A seal proves who issued a package and that it hasn't changed โ€” never that the skill is correct or safe. See What is verifiable.

What's in a .skill โ€‹

text
example.skill
โ”œโ”€โ”€ skill.json           # manifest, digests, profile, completeness
โ”œโ”€โ”€ workflow.json        # runnable steps
โ”œโ”€โ”€ knowledge/           # pinned decisions / rules
โ”œโ”€โ”€ provenance/          # redacted journey + generation_usage
โ””โ”€โ”€ signatures/          # mint attestation (release)

Bare SKILL.md vs. sealed .skill โ€‹

Bare SKILL.mdSealed .skill
StructureFreeform proseTyped contract: intent, triggers, I/O, steps, permissions, verification
IntegrityNoneContent-addressed id + SHA-256 digests; tamper-evident
Trust before runNoneInspect seal, issuer, and verified-vs-self-reported claims without executing
AuthorshipNoneDevelopment โ†’ verified-issuer โ†’ publicly anchored, your choice
HandoffCopy the chatContinuity package: typed, redacted, resumable

Reference packages โ€‹

SurfaceRole
skillerrReference CLI
@skillerr/protocolSkillContract, schemas, types
@skillerr/coreCompile, pack, validate, mint
@skillerr/runtimeInspect / dry-run / execute
@skillerr/workspaceLocal .skill/ working tree
@skillerr/registryOptional local transparency log

Agent Skills ecosystem โ€‹

Agent Skills specification (authoring format) ยท vercel-labs/skills (npx skills add, distribution) ยท skills.sh (directory) ยท Claude Code skills docs

Open .skill Protocol โ€” 1.0.0 (Stable) ยท skillerr CLI v1.0.3 ยท MIT