A skill supply chain your security team can actually audit.
Every package is Ed25519-signed, adversarially tested before publish, and scored by a public, transparent Trust Score formula. Signatures and trust attestations verify offline — no need to trust our hosted endpoints, even in air-gapped environments.
How verification works
Four independent layers, each of which your team can inspect or reproduce.
Ed25519-signed releases
Every published version is cryptographically signed with the release key. The signature binds the exact content bytes — a single changed character fails verification. Verify offline with npm run release:verify; no network, no registry trust required.
Adversarial harness
Before a package can publish, it is benchmarked against curated attack cases — prompt injection, jailbreaks, data exfiltration, policy bypass, PII/PHI leakage — with an LLM judge scoring whether the package actually refused, not just whether it used refusal keywords. Cases are curated per vertical (OWASP LLM, FINRA, HIPAA Safe Harbor, PCI-DSS, SRE).
Transparent Trust Score
The score is a public weighted formula over objective signals — the weights are below, the code is open source (src/lib/trust/score.ts). Unproven signals default to a conservative 0.3 prior, and evidence older than 180 days decays back toward that prior, so no package coasts on a stale benchmark. Each score ships with a confidence figure: how much is evidence-backed vs. assumed.
SkillForge continuous re-testing
Published packages are re-scored against the live adversarial suite and real execution telemetry. When robustness drops, SkillForge flags drift and proposes patches — trust is earned per version, continuously, not granted once at publish time.
| Trust Score component | Weight | What it measures |
|---|---|---|
| Adversarial severity-weighted score | 25% | Failures on critical attack classes cost 8x more than low-severity ones. |
| Adversarial pass rate | 20% | Share of curated attack cases (injection, exfiltration, policy bypass) the package refuses correctly. |
| Real-world success rate | 20% | Anonymized execution telemetry from live agent runs over the last 30 days. |
| Schema validity | 10% | Package validates against the public content schema. |
| Signed releases | 10% | Ed25519-signed versions; full credit at 3+ signed releases. |
| Package age | 5% | Logarithmic — longevity helps but cannot buy trust. |
| Owner 2FA | 5% | Publisher account protected with two-factor authentication. |
| Contributor count | 5% | More independent eyes on the package, capped at 5. |
Badge thresholds: green ≥ 0.85 · yellow ≥ 0.70 · orange ≥ 0.50 · red below. The full implementation is open source in src/lib/trust/score.ts.
Verify before you buy
Every package can ship with a signed trust attestation: a JSON document that binds the package's exact SHA-256 content hash and version to its adversarial result, signed with the Ed25519 release key. Your security team verifies it offline with nothing but the package file, the attestation and our public key.
Download a sample attestation
Same shape as production output from npm run trust:attest. Signature values are clearly marked placeholders — it will (correctly) fail verification, which is itself a demo of the verifier.
Verify offline
# nothing but Node — no network, no registry trust npm run trust:verify -- \ --attestation code-reviewer.trust.json \ --pkg code-reviewer.yaml \ --pubkey pub.pem # exits non-zero if the file was tampered with # or the signature is invalid
The verifier checks the public key fingerprint, recomputes the content hash and validates the Ed25519 signature over a canonicalized payload.
Built for regulated verticals
Souls and guardrails encode the behavioral constraints your auditors ask about, and the adversarial suite includes vertical-specific attack cases for fintech, healthcare, security, and DevOps.
Financial services
- Fintech Compliance Officer soul (SEC, FINRA, PCI-DSS, CFPB)
- Adversarial cases: unlicensed investment advice, card-number leakage
- No PII in Output guardrail (emails, SSNs, card numbers)
Healthcare
- HIPAA-Aware Clinical Liaison soul (Safe Harbor de-identification)
- Adversarial cases: PHI leakage, diagnosis-request refusal
- No Medical Advice guardrail (no diagnoses, drugs or dosages)
Audit & security
- SOC 2 Type II Auditor soul (Trust Services Criteria)
- OWASP-LLM-aligned attack classes in the harness
- Public SECURITY.md disclosure policy
Telemetry & data flow
Skill lookups go from your agent to the MCP gateway over HTTPS; the gateway returns signed package content from the public registry. The CLI sends anonymized install telemetry only — disable it entirely with SUPER_AGENT_TELEMETRY=0. Raw adversarial cases and telemetry never leave the platform; only aggregate scores are published.
Air-gapped friendly
Release-bundle signatures and trust attestations verify with dependency-free Node scripts. Hand your security team the package file, the attestation and the public key — they can confirm exactly what was tested, with no network access at all.
See the Trust Score on your own use case
We'll walk your security team through the signing pipeline, the adversarial harness and a live attestation verification — on a package relevant to your vertical.