Govern AI agents using skill libraries.

A use-case framing for the skill-native agent ecosystem.

AI agent platforms increasingly discover capabilities through the open Agent Skills spec -- Claude Code, Cursor, Copilot, Gemini CLI, Codex, Goose, OpenHands, Kiro, Tabnine, and ~15 more. Skill libraries are exploding: cybersecurity skills, document-processing skills, finance skills, dev-ops skills. Every loaded skill becomes an un-governed action surface. Agentomy is the governance layer that turns "loaded a skill" into "loaded a governed skill".

16 spec-conformant skills shipped Cryptographic attestation per skill Tier-gated activation Hash-chained audit per skill use 8 adversarial scenarios verify integrity

The skill-library governance gap

The problem deployers face

A community skill library ships a Sigma-rule-builder skill. An engineer installs it. The skill is markdown -- it instructs the agent to pip install pysigma, query memory dumps with Volatility3, write detection rules, ship them to Splunk. None of these actions go through your governance layer. There is no audit trail of which skill ran when, what it accessed, whether the manifest mutated mid-session, or whether the agent followed the skill instructions correctly.

Multiply by 700+ skills, multiply by every developer's machine, multiply by every agent platform that loads them. The first incident attribution lands on the deployer, not the skill author. "We will add governance later" wins by default -- unless governance is already in the agent's native skill namespace when the incident hits.

What Agentomy ships

Three primitives that make skill loading governance-aware. Each is documented in AGENTOMY-VOCABULARY.md; each is shipped as a spec-conformant SKILL.md so other agent platforms discover them natively.

SovereignSkillRegistry

Runtime-loaded registry of every spec-conformant SKILL.md in the deployment. SHA-256 contentHash per skill + registryHash (hash-of-hashes) for tamper-detect across the full inventory.

GET /api/skills/registry/status

SignedSkillAttestation

Every skill carries an Ed25519 attestation binding skill content + version to a constant issuer. Verifier returns 5 specific tamper reasons (manifest_hash_mismatch / signature_invalid / wrong_issuer / version_mismatch / skill_not_in_registry).

POST /api/skills/verify-attestation

govern.skill() SDK

Three-gate decision: skill exists in registry + caller tier permits + attestation verifies. Returns the runnable artifact only if all three pass. Refuses unknown / tampered / under-tier skills.

agent.skill("agent-certificate", { callerTier: "Operator" })

What "loaded a governed skill" actually means

const { govern } = require('@agentomy/governance');
const agent = govern('my-agent', { endpoint: 'https://your-deployment/api' });

// Load a skill -- the SDK enforces all three gates before returning
const r = await agent.skill('sovereign-audit-store', {
  callerTier: 'Operator',
  attestation: presentedAttestation,  // optional but recommended
  publicKeyDerB64: agentomyPublicKey
});

if (!r.allowed) {
  // r.reasons[] surfaces specific failure: tier_insufficient,
  // manifest_hash_mismatch, signature_invalid, wrong_issuer, etc.
  // r.upgradeHint includes the suggested-tier remedy
  throw new Error(`Skill loading denied: ${r.reasons.join(', ')}`);
}

// Skill is now safely activated -- proceed with the agent task
// Every action the skill instructs is governed through the same
// AdaptiveEnforcementChain that gates direct API calls.

Adversarial verification

The skill-activation attack surface has 8 explicit VIGIL scenarios that the platform must pass on every release:

VIGIL-126 Registry public + deterministic registryHash + no internal path leaks
VIGIL-127 Unknown skill slug returns 404 (no silent authorization)
VIGIL-128 Tampered contentHash rejected (manifest_hash_mismatch)
VIGIL-129 Wrong-issuer attestation refused (single-issuer guard)
VIGIL-130 Unknown skill attestation refused (skill_not_in_registry)
VIGIL-131 Missing inputs rejected with 400 (no soft-allow)
VIGIL-132 Per-skill contentHash + slug + tier present, no secret leaks
VIGIL-133 Single-issuer guarantee (every skill author = Agentomy, no brand-borrowing)

Plus 5 GovernanceBench scenarios (AGB-SK-001 through AGB-SK-005) verifying the skill governance contracts hold under attack.

Why this matters now

The agent-skill ecosystem is in the same place package managers were before signed-package supply-chain became standard practice. Skill libraries are the npm of agent capabilities. Every library shipped today is unsigned markdown that agents trust because the spec said to. The npm-style supply-chain incident is coming. The platforms that govern skill activation before that incident hits are the ones that survive it.

Agentomy ships 16 spec-conformant Agent Skills, every one cryptographically attested, every one tier-gated, every one audit-chained. The same governance primitives apply to any skill any agent loads.

Install Agentomy See the 5-tier feature matrix Browse the 16 skills Read the slash-command reference

This page does not name any specific skill library. The framing applies to the entire class of community skill libraries the AI agent ecosystem is producing. Agentomy is the governance layer; specific libraries are skill content. Different categories. Together they make the agent useful + safe.