# I tried to trick my own AI-skill signing tool. Here's what happened.

> Source: <https://dev.to/csinye/i-tried-to-trick-my-own-ai-skill-signing-tool-heres-what-happened-1e2d>
> Published: 2026-07-18 06:41:22+00:00

Over the last few months I’ve noticed a pattern emerging across AI tools.

Whether it’s Claude Skills, Cursor, Codex, or custom agent frameworks, we’re increasingly giving AI agents “skills”—packages containing instructions, documentation, and sometimes scripts.

The problem is…

A skill is usually just a Markdown file (plus some assets).

Nothing tells you:

As AI agents become capable of executing increasingly powerful workflows, that becomes a real supply-chain problem.

So I built Skillerr.

⸻

What is Skillerr?

Skillerr is an open-source protocol and CLI that adds trust and verification to AI skills before they’re executed.

Instead of treating a skill as “just another folder,” Skillerr treats it as a verifiable package.

It focuses on three things.

Every packaged skill receives a unique content-derived identifier along with cryptographic SHA-256 hashes.

If any file changes after packaging—even a single character—Skillerr detects it immediately.

No silent modifications.

⸻

Instead of relying on long paragraphs that an AI has to interpret, a Skill contains a structured contract describing:

This makes skills easier for both humans and AI agents to reason about.

⸻

Authors can cryptographically sign their skills.

Optionally, the package digest can also be anchored into Sigstore’s transparency log, making it independently verifiable without trusting Skillerr itself.

Importantly:

Only cryptographic identifiers are published.

No prompts.

No documentation.

No knowledge base.

No proprietary content.

⸻

I tried to break my own tool

Before releasing it, I intentionally attacked it.

First I packaged and signed a simple CSV processing skill.

Then I:

Skillerr immediately rejected it because the package hashes no longer matched.

Next I tried executing an unsigned package.

It refused by default.

Running untrusted skills requires an explicit opt-in rather than being the default behavior.

That felt like the right security model.

⸻

Why I built this

I don’t think AI agents should execute arbitrary instructions simply because they happen to live inside a Markdown file.

If we’re going to build ecosystems around reusable AI skills, we also need ways to answer questions like:

That’s the problem Skillerr is trying to solve.

⸻

It’s open source

I’d genuinely love people to try breaking it.

If you’re already building AI skills—for Claude, Cursor, Codex, or your own framework—I’d love to know:

Issues and pull requests are very welcome.

GitHub: [https://github.com/dot-skill/skillerr](https://github.com/dot-skill/skillerr)

Protocol Package: @skillerr/protocol

Documentation: [https://skillerr.com/docs](https://skillerr.com/docs)

If you find a bug, please open an issue.

If you can’t break it, I’d like to hear that too.
