toolmarksecuritycryptographyagent-skills

Ed25519 signing for AI agent skills — a primer

Why provenance matters for AI agent skills, and how Toolmark uses Ed25519 signatures to make skills verifiable.

Devashish Jadhav ·

When you install an npm package, you trust a registry. When you pip install something, you trust PyPI. Both have had supply-chain attacks.

AI agent skills are the next surface. A skill is a chunk of instructions and tools that runs inside your AI agent’s context window. If someone ships a malicious skill — one that exfiltrates your codebase, calls out to external URLs, or escalates permissions — the damage happens at inference time, not install time.

Toolmark signs every published skill with Ed25519. Here’s why and how.

Why Ed25519 over RSA

Three reasons:

  1. Key size — Ed25519 keys are 32 bytes. RSA-2048 keys are 256 bytes. For skills that get embedded in context windows, metadata size matters.
  2. Speed — Ed25519 signing is ~100x faster than RSA-2048 signing. Irrelevant for one-off publish ops, but relevant if you’re signing test runs too.
  3. Modern — Ed25519 is Curve25519-based, designed to avoid side-channel attacks by construction. RSA’s security depends on correct implementation in ways that Ed25519 doesn’t.

The signing flow in Toolmark

When you run toolmark publish:

  1. Toolmark reads your skill.json manifest and all skill files
  2. Computes SHA-256 of the canonical JSON-serialised bundle
  3. Signs the digest with your Ed25519 private key (stored in ~/.toolmark/identity.key)
  4. Embeds the signature and your public key fingerprint in the published manifest
{
  "name": "my-skill",
  "version": "1.0.0",
  "provenance": {
    "signer": "ddevilz",
    "public_key": "ed25519:AAAA....",
    "signature": "base64url:...",
    "signed_at": "2026-02-05T10:30:00Z"
  }
}

When an agent runtime installs the skill, it verifies the signature against the public key before loading the skill into context.

What signing doesn’t solve

Signing proves authorship, not safety. A signed skill from a compromised account is still dangerous.

This is why Toolmark also runs LLM-as-judge evaluation on skills before publishing — checking for suspicious patterns like unconditional tool calls, missing scope declarations, or instructions that override system prompts.

Provenance is one layer. Behavioural analysis is another. Neither is sufficient alone.

Getting started

pip install toolmark
toolmark init          # generates your Ed25519 identity
toolmark publish .     # signs and publishes your skill

The public key gets registered in the Toolmark registry. Anyone who installs your skill can verify it came from you.

Toolmark is on GitHub. Feedback welcome.