Skip to content

Open .skill ProtocolThe cryptographic trust standard for AI skills.

Package a skill once as a sealed .skill, content-addressed, cryptographically signed, and independently verifiable before anyone runs it. Create, inspect, sign, and run portable .skill packages for AI agents, the integrity and provenance layer on top of your SKILL.md.

Where skillerr fits โ€‹

The Agent Skills ecosystem has three layers, and skillerr owns the third, complementary to the other two, not competing with either:

LayerJobWho
AuthoringDefines the SKILL.md format itselfAgent Skills spec
DistributionInstalls a skill onto your machinevercel-labs/skills, skills.sh
Trust / integritySeals, signs, records provenance, lets you inspect before you runskillerr

npx skills add owner/repo installs unverified instructions and executable scripts from any repo, with no integrity or provenance check. Distribution tools install a skill; skillerr lets you verify one, its integrity, issuer, and provenance, before you run it.

No telemetry, no tracking. skillerr makes no network calls unless you explicitly opt in (--transparency, --keyless, --online).

Install once โ€‹

bash
npm i -g skillerr

Node โ‰ฅ 20. skillerr is the reference CLI (bin: skill).

Getting started โ€‹

Humans install once, then direct your agent:

bash
npm i -g skillerr        # reference CLI, bin: skill

Agents start by reading their own instructions:

bash
skill agent-guide        # the exact create / inspect / handoff protocol

Simplest โ€” just ask

text
npm i -g skillerr

Then tell your AI:
"Use skillerr to turn this conversation into a .skill I can reuse."

Inspect before run

text
Inspect ./file.skill TrustView without executing. Validate, then dry-run.
Summarize trust warnings. Do not execute for real unless I ask.

More starters: Getting started ยท Convert a SKILL.md ยท Evaluate & score ยท Agents ยท Workflows ยท Full CLI reference

Cryptographic foundation โ€‹

A skill is only as trustworthy as your ability to verify it. .skill gives every skill a verifiable identity, provable authorship, and independently checkable provenance, the same guarantees the software supply chain now expects, applied to AI skills.

PillarWhat it gives you
IdentityContent-addressed skill_id and SHA-256 package_digest/manifest_digest. Change one byte after sealing and the identity changes.
AuthorshipA configured Ed25519 issuer key (verified_issuer), or an OIDC identity bound with Sigstore Fulcio keyless signing, both using the standard DSSE attestation envelope.
ProvenanceThe sealed digest anchored to the public Sigstore Rekor transparency log, verified offline against the log's signed tree head by default, with a search.sigstore.dev link so anyone can check independently.
Assurance--claims splits every field into verified (crypto-checked) and self_reported (asserted), two separate arrays, never blurred together.

No telemetry, no tracking. skillerr makes no network calls unless you explicitly opt in (--transparency, --keyless, --online).

The trust ladder โ€‹

Trust is explicit and layered, you choose how much you need, and verifiers can always tell which rung a package sits on:

  1. Development. Sealed for local iteration with the public dev HMAC key. Clearly labeled, never mistaken for production trust.
  2. Verified issuer. Signed with your configured Ed25519 key (skill keygen + --signer-key); verifiers who pin your key get cryptographic proof of authorship and integrity.
  3. Publicly anchored. The sealed digest is logged to a public transparency log (sigstore's Rekor via --transparency, and/or Fulcio keyless OIDC via --keyless), independently verifiable by anyone without trusting the tool.

Anchoring is orthogonal to trust state and always additive, an anchored package can still be development or self-reported trust. Inclusion is not endorsement: logging a package proves auditability, not goodness. A seal proves who issued a package and that it hasn't changed, never that the skill is correct or safe. See Trust & security.

Built to be verified today, and owned tomorrow โ€‹

The primitives that make a .skill verifiable are, by design, a foundation a future ownership layer could build on: on-chain provenance, programmable royalties for skill authors, decentralized skill marketplaces. This is deliberate architecture, not a promise of features.

  • Content-addressed identity already gives every skill a unique, tamper-evident id, the same reference primitive on-chain assets use to point at off-chain content.
  • Cryptographic authorship is already key-based (Ed25519, optionally Fulcio-bound OIDC identity), the same shape as wallet-based identity.
  • Pluggable anchors: the permanence-anchor slot is an open extension point. The wire format already reserves a ledger anchor kind alongside the shipped ones; no ledger-anchoring implementation exists yet, it's a tracked roadmap item, addable without breaking existing packages.
  • A neutral core: the spec has no marketplace, no token, and no commerce code, so any ownership layer could build on the verifiable foundation without the standard picking winners.

What this is not, today: skillerr does not mint tokens, issue NFTs, or move value. "Minting" a .skill creates a cryptographic attestation, not a financial instrument. On-chain ownership is a roadmap extension point, not a shipped feature, and it will always be optional, never required to author, verify, or run a skill. Nothing here is investment advice or a claim of future value.

What's in a .skill โ€‹

text
example.skill
โ”œโ”€โ”€ skill.json           # manifest, digests, profile, completeness
โ”œโ”€โ”€ workflow.json        # runnable steps
โ”œโ”€โ”€ knowledge/           # pinned decisions / rules
โ”œโ”€โ”€ provenance/          # redacted journey + generation_usage
โ””โ”€โ”€ signatures/          # mint attestation (release)

Bare SKILL.md vs. sealed .skill โ€‹

Bare SKILL.mdSealed .skill
StructureFreeform proseTyped contract: intent, triggers, I/O, steps, permissions, verification
IntegrityNoneContent-addressed id + SHA-256 digests; tamper-evident
Trust before runNoneInspect seal, issuer, and verified-vs-self-reported claims without executing
AuthorshipNoneDevelopment โ†’ verified-issuer โ†’ publicly anchored, your choice
HandoffCopy the chatContinuity package: typed, redacted, resumable

Reference packages โ€‹

SurfaceRole
skillerrReference CLI
@skillerr/protocolSkillContract, schemas, types
@skillerr/coreCompile, pack, validate, mint
@skillerr/runtimeInspect / dry-run / execute
@skillerr/workspaceLocal .skill/ working tree
@skillerr/registryOptional local transparency log

Agent Skills ecosystem โ€‹

Agent Skills specification (authoring format) ยท vercel-labs/skills (npx skills add, distribution) ยท skills.sh (directory) ยท Claude Code skills docs

Open .skill Protocol โ€” 1.0.0 (Stable) ยท skillerr CLI v1.2.0 ยท MIT