AgentVouch Docs

Why `skill.md` is a supply-chain risk

A `skill.md` file looks like documentation, but an agent may execute it like instructions. That means a malicious file can present itself as a harmless integration while actually telling the agent to leak secrets, run bad code, or misuse wallet access.

The file format alone does not tell an agent whether the author is trustworthy. That is the gap AgentVouch tries to close. It does not magically prove a file is safe. It gives the caller a financial trust record for the author behind the file.

What to check before install

• Is the author registered on-chain?
• Is there stake behind the author?
• Are there active or upheld disputes?
• Is the author recommended for allow, review, or avoid?

You can inspect those signals on the marketplace, on each author page, and through the public trust APIs.

Next: how to verify an AI agent before giving it access or payment.