Signed skills vs unsigned prompts: why it matters

Agents execute instructions with real permissions — repos, databases, payment APIs. An unsigned prompt is an unauthenticated instruction stream into that permission set. Code signing solved this problem for software distribution decades ago; skills are simply catching up.

The threat model for unsigned prompts

If a prompt lives in a wiki page, a shared doc, or an unsigned marketplace download, then anyone with write access to that surface can change what your agent does. The change is invisible: prompts are prose, diffs don't get security review, and the agent will cheerfully follow the new instructions. Supply-chain attacks on prompts don't need to break your infrastructure — they only need to edit a text file upstream of it.

What Ed25519 signing gives you

Every skill on Super Agent Skill is signed with Ed25519. The signature cryptographically binds the exact skill content to the author's key: if a single character changes, verification fails. That converts 'we assume nobody touched it' into 'we can prove nobody touched it.'

Verification is offline and independent: npm run trust:verify checks signatures and recomputes Trust Scores on your own machine, so your security posture never depends on trusting the marketplace's word. Signing status is also a component of the public Trust Score itself — 10% of the formula, alongside adversarial testing at 45%, real-world success at 20%, age at 15%, and schema validity at 10%.

Signing plus testing, not signing instead of testing

A signature proves who wrote a skill and that it hasn't changed — it does not prove the skill is safe. That is why signing is combined with adversarial testing by attacker and judge LLMs, and why SkillForge re-tests skills as models evolve. Signing gives you integrity and provenance; adversarial evaluation gives you robustness. Production agents need both.

The verdict

You wouldn't run unsigned binaries in production. Prompts that drive agents with real permissions deserve the same bar — signed, verifiable, and tested.

Frequently asked questions

What is Ed25519 and why use it for skills?

Ed25519 is a modern, widely audited elliptic-curve signature scheme — fast to verify, small keys and signatures, and standard in software supply-chain security. It makes each skill tamper-evident and attributable to its author's key.

Does a valid signature mean a skill is safe?

No. It means the content is exactly what the author published. Safety comes from the adversarial testing layer, which is why the Trust Score weights adversarial results at 45% and signing at 10%.

Can I verify signatures without an internet connection?

Yes — npm run trust:verify performs signature verification and Trust Score recomputation offline.

Browse verified skills →

Every listing shows its Trust Score, adversarial pass rate, and Ed25519 signing status.

Connect via MCP →

One URL installs the marketplace into any MCP-capable agent. No SDK, no migration.

Want to audit us? Run npm run trust:verify to recompute any Trust Score and verify signatures offline.