<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Bharat Dudeja</title>
    <description>The latest articles on DEV Community by Bharat Dudeja (@csinye).</description>
    <link>https://dev.to/csinye</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4034802%2F2c5f46a0-753e-4087-a76c-e8a7d83a0df0.png</url>
      <title>DEV Community: Bharat Dudeja</title>
      <link>https://dev.to/csinye</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/csinye"/>
    <language>en</language>
    <item>
      <title>I tried to trick my own AI-skill signing tool. Here's what happened.</title>
      <dc:creator>Bharat Dudeja</dc:creator>
      <pubDate>Sat, 18 Jul 2026 06:41:22 +0000</pubDate>
      <link>https://dev.to/csinye/i-tried-to-trick-my-own-ai-skill-signing-tool-heres-what-happened-1e2d</link>
      <guid>https://dev.to/csinye/i-tried-to-trick-my-own-ai-skill-signing-tool-heres-what-happened-1e2d</guid>
      <description>&lt;p&gt;Over the last few months I’ve noticed a pattern emerging across AI tools.&lt;/p&gt;

&lt;p&gt;Whether it’s Claude Skills, Cursor, Codex, or custom agent frameworks, we’re increasingly giving AI agents “skills”—packages containing instructions, documentation, and sometimes scripts.&lt;/p&gt;

&lt;p&gt;The problem is…&lt;/p&gt;

&lt;p&gt;A skill is usually just a Markdown file (plus some assets).&lt;/p&gt;

&lt;p&gt;Nothing tells you:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Who created it.&lt;/li&gt;
&lt;li&gt;Whether it has been modified.&lt;/li&gt;
&lt;li&gt;Whether the version your AI is executing is the same one you reviewed yesterday.&lt;/li&gt;
&lt;li&gt;Whether someone quietly injected new instructions into it.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;As AI agents become capable of executing increasingly powerful workflows, that becomes a real supply-chain problem.&lt;/p&gt;

&lt;p&gt;So I built Skillerr.&lt;/p&gt;

&lt;p&gt;⸻&lt;/p&gt;

&lt;p&gt;What is Skillerr?&lt;/p&gt;

&lt;p&gt;Skillerr is an open-source protocol and CLI that adds trust and verification to AI skills before they’re executed.&lt;/p&gt;

&lt;p&gt;Instead of treating a skill as “just another folder,” Skillerr treats it as a verifiable package.&lt;/p&gt;

&lt;p&gt;It focuses on three things.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Package Integrity&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Every packaged skill receives a unique content-derived identifier along with cryptographic SHA-256 hashes.&lt;/p&gt;

&lt;p&gt;If any file changes after packaging—even a single character—Skillerr detects it immediately.&lt;/p&gt;

&lt;p&gt;No silent modifications.&lt;/p&gt;

&lt;p&gt;⸻&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Structured Contracts&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Instead of relying on long paragraphs that an AI has to interpret, a Skill contains a structured contract describing:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;required inputs&lt;/li&gt;
&lt;li&gt;permissions&lt;/li&gt;
&lt;li&gt;forbidden actions&lt;/li&gt;
&lt;li&gt;expected outputs&lt;/li&gt;
&lt;li&gt;whether a human has actually reviewed it&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This makes skills easier for both humans and AI agents to reason about.&lt;/p&gt;

&lt;p&gt;⸻&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Optional Public Provenance&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Authors can cryptographically sign their skills.&lt;/p&gt;

&lt;p&gt;Optionally, the package digest can also be anchored into Sigstore’s transparency log, making it independently verifiable without trusting Skillerr itself.&lt;/p&gt;

&lt;p&gt;Importantly:&lt;/p&gt;

&lt;p&gt;Only cryptographic identifiers are published.&lt;/p&gt;

&lt;p&gt;No prompts.&lt;br&gt;
No documentation.&lt;br&gt;
No knowledge base.&lt;br&gt;
No proprietary content.&lt;/p&gt;

&lt;p&gt;⸻&lt;/p&gt;

&lt;p&gt;I tried to break my own tool&lt;/p&gt;

&lt;p&gt;Before releasing it, I intentionally attacked it.&lt;/p&gt;

&lt;p&gt;First I packaged and signed a simple CSV processing skill.&lt;/p&gt;

&lt;p&gt;Then I:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;unpacked the archive&lt;/li&gt;
&lt;li&gt;edited one of the packaged files&lt;/li&gt;
&lt;li&gt;inserted hidden instructions&lt;/li&gt;
&lt;li&gt;repackaged everything&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Skillerr immediately rejected it because the package hashes no longer matched.&lt;/p&gt;

&lt;p&gt;Next I tried executing an unsigned package.&lt;/p&gt;

&lt;p&gt;It refused by default.&lt;/p&gt;

&lt;p&gt;Running untrusted skills requires an explicit opt-in rather than being the default behavior.&lt;/p&gt;

&lt;p&gt;That felt like the right security model.&lt;/p&gt;

&lt;p&gt;⸻&lt;/p&gt;

&lt;p&gt;Why I built this&lt;/p&gt;

&lt;p&gt;I don’t think AI agents should execute arbitrary instructions simply because they happen to live inside a Markdown file.&lt;/p&gt;

&lt;p&gt;If we’re going to build ecosystems around reusable AI skills, we also need ways to answer questions like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Can I trust this?&lt;/li&gt;
&lt;li&gt;Who created it?&lt;/li&gt;
&lt;li&gt;Has it changed?&lt;/li&gt;
&lt;li&gt;Was it actually reviewed?&lt;/li&gt;
&lt;li&gt;Can someone independently verify what I’m about to run?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That’s the problem Skillerr is trying to solve.&lt;/p&gt;

&lt;p&gt;⸻&lt;/p&gt;

&lt;p&gt;It’s open source&lt;/p&gt;

&lt;p&gt;I’d genuinely love people to try breaking it.&lt;/p&gt;

&lt;p&gt;If you’re already building AI skills—for Claude, Cursor, Codex, or your own framework—I’d love to know:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What does Skillerr miss?&lt;/li&gt;
&lt;li&gt;What assumptions are wrong?&lt;/li&gt;
&lt;li&gt;What security holes can you find?&lt;/li&gt;
&lt;li&gt;What would make you trust it more?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Issues and pull requests are very welcome.&lt;/p&gt;

&lt;p&gt;GitHub: &lt;a href="https://github.com/dot-skill/skillerr" rel="noopener noreferrer"&gt;https://github.com/dot-skill/skillerr&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Protocol Package: @skillerr/protocol&lt;/p&gt;

&lt;p&gt;Documentation: &lt;a href="https://skillerr.com/docs" rel="noopener noreferrer"&gt;https://skillerr.com/docs&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;If you find a bug, please open an issue. &lt;/p&gt;

&lt;p&gt;If you can’t break it, I’d like to hear that too.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>opensource</category>
      <category>security</category>
      <category>showdev</category>
    </item>
  </channel>
</rss>
