I tried to trick my own AI-skill signing tool. Here's what happened. A developer built Skillerr, an open-source protocol and CLI that adds trust and verification to AI skills before execution. The tool uses cryptographic hashing and signing to detect tampering, and the developer successfully tested it by attempting to break it. Skillerr is designed to address supply-chain security issues as AI agents increasingly rely on reusable skill packages. Over the last few months I’ve noticed a pattern emerging across AI tools. Whether it’s Claude Skills, Cursor, Codex, or custom agent frameworks, we’re increasingly giving AI agents “skills”—packages containing instructions, documentation, and sometimes scripts. The problem is… A skill is usually just a Markdown file plus some assets . Nothing tells you: As AI agents become capable of executing increasingly powerful workflows, that becomes a real supply-chain problem. So I built Skillerr. ⸻ What is Skillerr? Skillerr is an open-source protocol and CLI that adds trust and verification to AI skills before they’re executed. Instead of treating a skill as “just another folder,” Skillerr treats it as a verifiable package. It focuses on three things. Every packaged skill receives a unique content-derived identifier along with cryptographic SHA-256 hashes. If any file changes after packaging—even a single character—Skillerr detects it immediately. No silent modifications. ⸻ Instead of relying on long paragraphs that an AI has to interpret, a Skill contains a structured contract describing: This makes skills easier for both humans and AI agents to reason about. ⸻ Authors can cryptographically sign their skills. Optionally, the package digest can also be anchored into Sigstore’s transparency log, making it independently verifiable without trusting Skillerr itself. Importantly: Only cryptographic identifiers are published. No prompts. No documentation. No knowledge base. No proprietary content. ⸻ I tried to break my own tool Before releasing it, I intentionally attacked it. First I packaged and signed a simple CSV processing skill. Then I: Skillerr immediately rejected it because the package hashes no longer matched. Next I tried executing an unsigned package. It refused by default. Running untrusted skills requires an explicit opt-in rather than being the default behavior. That felt like the right security model. ⸻ Why I built this I don’t think AI agents should execute arbitrary instructions simply because they happen to live inside a Markdown file. If we’re going to build ecosystems around reusable AI skills, we also need ways to answer questions like: That’s the problem Skillerr is trying to solve. ⸻ It’s open source I’d genuinely love people to try breaking it. If you’re already building AI skills—for Claude, Cursor, Codex, or your own framework—I’d love to know: Issues and pull requests are very welcome. GitHub: https://github.com/dot-skill/skillerr https://github.com/dot-skill/skillerr Protocol Package: @skillerr/protocol Documentation: https://skillerr.com/docs https://skillerr.com/docs If you find a bug, please open an issue. If you can’t break it, I’d like to hear that too.