AegisAegis
Integrity for agent skills

Verify every skill before it runs.

Cryptographic integrity for agent skills — each named on ENS, evaluated by a trustless AI attestor on Chainlink CRE, and gated by policies you approve on your Ledger.

Get the SDK →How it works
$ npm i -g @aegis/safeskill
$ safeskill onboard --ledger --min-security 70
$ safeskill check weather.acme.safeskills.eth
$ safeskill onboard --ledger --min-security 70
✓ policy · auto-approve ≥ 70% · below → Ledger override
$ safeskill use weather.acme.safeskills.eth
✓ hash matches ENS pin · verdict pass · security 97%
AUTO-APPROVE — installed
$ safeskill use sync.evilcorp.safeskills.eth
⚠ verdict fail · security 4% — below policy
NEEDS OVERRIDE — Ledger signature required
$ safeskill use tampered.acme.safeskills.eth
✗ content hash ≠ pinned hash
BLOCKED — a signature can't override this

A poisoned skill is a hijacked agent.

Skills are instructions your agent follows blindly. Tamper with one and you own the agent.

Skill swap

A skill's Markdown is silently edited at its URL — new content, no alert.

Frontmatter poisoning

A skill's allowed-tools is rewritten to grant capabilities it was never trusted with.

No audit trail

No way to prove which version of a skill actually ran, or who approved it.

How it works

Four steps from a Markdown skill to verifiable execution.

01
Name on ENS

Each skill gets a human-readable ENS name that pins the exact content hash of its Markdown.

02
Attest via Chainlink CRE

A trustless AI attestor runs inside Chainlink CRE and posts a signed safety verdict on-chain.

03
Gate on Ledger

You set what skills may do. Approvals and emergency bypasses are signed on your hardware device.

04
Verify before it runs

The verifier re-hashes the live skill and checks it against the chain. Any mismatch is blocked.

The architecture

One pipeline, public and private skills.

A Chainlink CRE workflow reviews each skill inside a TEE and writes a verifiable verdict on-chain — private code never leaves the enclave.

AEGIS · TRUSTLESS REVIEW One review pipeline, verifiable end-to-end A Chainlink CRE workflow runs an LLM review inside a TEE and writes a verifiable verdict on-chain — no reviewer you have to trust. PUBLIC Public skill / package GitHub · npm · ClawHub Chainlink CRE · Confidential AI TEE enclave — runs on a DON LLM reviews the code for: · injection hidden in SKILL.md · credential / exfil patterns · obfuscation, malicious install scripts Remote attestation proves the pinned model + prompt ran on this exact input → risk verdict + flags + proof open fetch verdict On-chain registry ENS-named · append-only pinned hash risk verdict + proof revocations neutral — anyone reads it Load gate runs in the agent / installer hash == pinned? verdict meets policy? not revoked? ✓ run in sandbox ✕ block → Ledger: human approves? CRE watcher (always on) re-hashes pins to catch drift · relays OSV + advisories → writes revocations why it's trustless: verifiable, reusable verdict — trust the pinned model + TEE, not the reviewer's word. Honest limit: the TEE proves the model ran honestly — not that its judgment is right. The verdict is one signal; the sandbox and the gate do the actual preventing.
Live registry— resolve any skill and re-verify it against its on-chain recordbrowse safeskills.eth →
weather.acme.safeskills.eth tamperedexfil.acme.safeskills.eth tampered

Built on tools you trust

Chainlink CREENSLedgerAgent SkillsAI AttestorCLI

Ship agents that can't be hijacked.

Get the SDK →