An open cryptographic signing standard for AI agent skills and MCP servers.
No major agent registry has skill-level signing. Haldir fills that gap with DSSE v1.0.0 envelopes, Ed25519 signatures, and signed revocation — the same supply chain security stack that protects npm, PyPI, and container images.
- spec — Agent Skill Attestation Format (ASAF) specification
- haldir — Reference implementation (TypeScript)
- sign-action — GitHub Action for one-line CI signing (coming soon)
In February 2026, the ClawHavoc incident revealed 341 malicious skills (12% of ClawHub) deploying credential stealers via agent skills. Independent analysis found prompt injection in 36% of skills across major registries. Zero registries had cryptographic signing.
Haldir provides:
- ✅ Tamper-evident integrity (SHA-256 allowlists)
- ✅ Publisher authentication (Ed25519 signatures)
- ✅ Signed revocation (fail-closed install, fail-open runtime)
- ✅ Sigstore-compatible (keyless signing, transparency logs)
npm install -g @haldir/cli
haldir sign ./my-skill
haldir verify ./my-skill📖 Read the spec 🔧 Reference implementation 🌐 haldir.ai
Report vulnerabilities to: security@haldir.ai See our Security Policy
All Haldir projects are licensed under Apache 2.0.