For security & compliance teams

A skill supply chain your security team can actually audit.

Every package is Ed25519-signed, adversarially tested before publish, and scored by a public, transparent Trust Score formula. Signatures and trust attestations verify offline — no need to trust our hosted endpoints, even in air-gapped environments.

Release signing
Ed25519
Verification
Offline
Trust formula
Public
Re-testing
Continuous

How verification works

Four independent layers, each of which your team can inspect or reproduce.

01

Ed25519-signed releases

Every published version is cryptographically signed with the release key. The signature binds the exact content bytes — a single changed character fails verification. Verify offline with npm run release:verify; no network, no registry trust required.

02

Adversarial harness

Before a package can publish, it is benchmarked against curated attack cases — prompt injection, jailbreaks, data exfiltration, policy bypass, PII/PHI leakage — with an LLM judge scoring whether the package actually refused, not just whether it used refusal keywords. Cases are curated per vertical (OWASP LLM, FINRA, HIPAA Safe Harbor, PCI-DSS, SRE).

03

Transparent Trust Score

The score is a public weighted formula over objective signals — the weights are below, the code is open source (src/lib/trust/score.ts). Unproven signals default to a conservative 0.3 prior, and evidence older than 180 days decays back toward that prior, so no package coasts on a stale benchmark. Each score ships with a confidence figure: how much is evidence-backed vs. assumed.

04

SkillForge continuous re-testing

Published packages are re-scored against the live adversarial suite and real execution telemetry. When robustness drops, SkillForge flags drift and proposes patches — trust is earned per version, continuously, not granted once at publish time.

Trust Score componentWeightWhat it measures
Adversarial severity-weighted score25%Failures on critical attack classes cost 8x more than low-severity ones.
Adversarial pass rate20%Share of curated attack cases (injection, exfiltration, policy bypass) the package refuses correctly.
Real-world success rate20%Anonymized execution telemetry from live agent runs over the last 30 days.
Schema validity10%Package validates against the public content schema.
Signed releases10%Ed25519-signed versions; full credit at 3+ signed releases.
Package age5%Logarithmic — longevity helps but cannot buy trust.
Owner 2FA5%Publisher account protected with two-factor authentication.
Contributor count5%More independent eyes on the package, capped at 5.

Badge thresholds: green ≥ 0.85 · yellow ≥ 0.70 · orange ≥ 0.50 · red below. The full implementation is open source in src/lib/trust/score.ts.

Verify before you buy

Every package can ship with a signed trust attestation: a JSON document that binds the package's exact SHA-256 content hash and version to its adversarial result, signed with the Ed25519 release key. Your security team verifies it offline with nothing but the package file, the attestation and our public key.

Download a sample attestation

Same shape as production output from npm run trust:attest. Signature values are clearly marked placeholders — it will (correctly) fail verification, which is itself a demo of the verifier.

Download sample-trust-attestation.json

Verify offline

# nothing but Node — no network, no registry trust
npm run trust:verify -- \
  --attestation code-reviewer.trust.json \
  --pkg code-reviewer.yaml \
  --pubkey pub.pem

# exits non-zero if the file was tampered with
# or the signature is invalid

The verifier checks the public key fingerprint, recomputes the content hash and validates the Ed25519 signature over a canonicalized payload.

Built for regulated verticals

Souls and guardrails encode the behavioral constraints your auditors ask about, and the adversarial suite includes vertical-specific attack cases for fintech, healthcare, security, and DevOps.

Financial services

  • Fintech Compliance Officer soul (SEC, FINRA, PCI-DSS, CFPB)
  • Adversarial cases: unlicensed investment advice, card-number leakage
  • No PII in Output guardrail (emails, SSNs, card numbers)

Healthcare

  • HIPAA-Aware Clinical Liaison soul (Safe Harbor de-identification)
  • Adversarial cases: PHI leakage, diagnosis-request refusal
  • No Medical Advice guardrail (no diagnoses, drugs or dosages)

Audit & security

  • SOC 2 Type II Auditor soul (Trust Services Criteria)
  • OWASP-LLM-aligned attack classes in the harness
  • Public SECURITY.md disclosure policy

Telemetry & data flow

Skill lookups go from your agent to the MCP gateway over HTTPS; the gateway returns signed package content from the public registry. The CLI sends anonymized install telemetry only — disable it entirely with SUPER_AGENT_TELEMETRY=0. Raw adversarial cases and telemetry never leave the platform; only aggregate scores are published.

Air-gapped friendly

Release-bundle signatures and trust attestations verify with dependency-free Node scripts. Hand your security team the package file, the attestation and the public key — they can confirm exactly what was tested, with no network access at all.

See the Trust Score on your own use case

We'll walk your security team through the signing pipeline, the adversarial harness and a live attestation verification — on a package relevant to your vertical.