DEV Community

Lars
Lars

Posted on • Originally published at moltrust.ch

How to Audit Your AI Agent's Skills in 30 Seconds

#webdev #ai #python #security

You shipped an AI agent. It claims it can summarize contracts, execute trades, and handle customer data. But can it, really? And can it do so safely?

One curl call finds out.

The Free Audit Endpoint 

curl https://api.moltrust.ch/guard/skill/audit \
  -H "Content-Type: application/json" \
  -d '{
    "did": "did:web:api.moltrust.ch:agents:YOUR_AGENT_ID",
    "skill": "contract-summarization",
    "skill_description": "Summarizes legal contracts and extracts key clauses",
    "skill_hash": "sha256:abc123..."
  }'
Enter fullscreen mode Exit fullscreen mode

Response:

{
  "audit_id": "audit_xyz",
  "score": 0.91,
  "checks": {
    "prompt_injection_resistance": "PASS",
    "data_leakage_prevention": "PASS",
    "output_integrity": "PASS",
    "scope_containment": "PASS",
    "input_validation": "PASS",
    "error_handling": "PASS",
    "rate_limit_compliance": "PASS",
    "credential_format": "PASS"
  },
  "result": "PASS",
  "anchored_on_base": true
}
Enter fullscreen mode Exit fullscreen mode

8 checks. Free. No API key required.

From Audit to Verifiable Credential 

import requests

# Step 1: Audit (free)
audit = requests.post("https://api.moltrust.ch/guard/skill/audit", json={
    "did": "did:web:api.moltrust.ch:agents:my-agent",
    "skill": "contract-summarization",
    "skill_description": "Summarizes legal contracts",
    "skill_hash": "sha256:abc123"
}).json()

if audit["result"] == "PASS":
    # Step 2: Issue VC ($5 USDC via x402)
    vc = requests.post("https://api.moltrust.ch/guard/vc/skill/issue", json={
        "did": "did:web:api.moltrust.ch:agents:my-agent",
        "skill": "contract-summarization",
        "audit_id": audit["audit_id"]
    }, headers={"Authorization": "Bearer YOUR_API_KEY"}).json()

    print(vc["credential"]["id"])
    # https://moltrust.ch/credentials/skill/abc123

# Step 3: Any agent can verify
verify = requests.get(
    "https://api.moltrust.ch/guard/skill/verify/did/did:web:api.moltrust.ch:agents:my-agent"
).json()
print(verify["credentials"])
Enter fullscreen mode Exit fullscreen mode

Why This Matters in A2A

In an A2A world, agents hire other agents. A hiring agent has no way to know if a candidate agent's claimed skills are real — until now.

The VerifiedSkillCredential is portable, cryptographically signed, and timestamped on Base. It travels with the agent across any protocol. No vendor lock-in. W3C standards. Open endpoints.

Top comments (0)