skillx.md · marketplace · publish · part of the User Agency Web
The trust layer for the agentic web.
Agent skills are executable instructions for your AI. Installing an unsigned one is curl | sudo bash for your agent. skillx signs skills with a key anchored in the publisher's own domain — so you can verify who published it and that it hasn't been modified before your agent runs a word of it.
Verify a skill Publish yours — freeThis is already a supply chain. It's just unsigned.
- Snyk's ToxicSkills study found prompt-injection payloads in 36% of scanned agent skills — 1,467 malicious payloads in the wild.
- OWASP now publishes an Agentic Skills Top 10. Skill-based credential theft has moved from proof-of-concept to incident report.
- There are 8+ skill marketplaces. None of them ship cryptographic provenance. A skill file tells you nothing about who wrote it — or who changed it after they did.
A signature doesn't make a skill safe — it makes it attributable and tamper-evident. That's the missing floor. (Verification pairs every signature check with a content scan for exactly this reason.)
Verify before you install
# one file, no account, no server:
curl -fsSLO https://skillx.md/skillx.py
# verify the first signed skill on the open web:
python3 skillx.py verify --scan https://username.md/SKILL.md
VERIFIED
skill: user-agency-web-identity
publisher: did:web:username.md#skillx-2026
sha256: 2dfef1e15468e04d…
# or verify + scan + install into ~/.claude/skills/ in one step
# (refuses unsigned skills by default):
python3 skillx.py install https://username.md/SKILL.md
Outcomes are exact: VERIFIED, UNSIGNED, or INVALID. A tampered byte fails. An agent should never present INVALID as merely unsigned — and this tooling doesn't.
How publishing works
Sign
One command produces a detached JWS (ES256) over the sha256 of your SKILL.md's raw bytes. The artifact itself never changes.
Anchor
Your public key lives in /.well-known/did.json on your domain (did:web). Your domain is the trust root — not us.
Log
Every signature is recorded in a public, append-only transparency log. Anyone can audit what you published and when.
The spec is open (spec.md), the primitives are boring on purpose — standard JWS, standard JWK, W3C did:web, Sigstore-compatible envelope. Registry index at /skills.json; log at /log/transparency.jsonl.
Pricing
Sign & verify
$0 forever
The security floor is not a paywall. CLI, spec, verification, unsigned listing — free, always.
Verified Publisher
$9 / year
Identity-checked badge on every skill you publish, verified listing in the registry, your handle linked across the User Agency Web. Founding price, locked in.
Verified Org
$149 / year
Organization-level verification via about-us.md for teams shipping skills to customers. The trust badge your distribution channel asks for.
Dogfood, in public
The first signed skill in the log is our own: the User Agency Web skill (signature · key · log seq 1). We sign what we ship. So should everyone who ships instructions into someone else's agent.