The Agent Skills specification defines six fields for a SKILL.md frontmatter: name , description , license , compatibility , metadata , and allowed-tools . None of them are cryptographic. There is no hash. No signature. No way to tell, after a skill reaches your agent, whether it is the bytes the publisher originally wrote. This is not a criticism. The format solved a different problem first: interoperability across 35+ agent runtimes. Claude Code, Cursor, Codex CLI, Gemini CLI, GitHub Copilot, and others all load SKILL.md and it works. That is a genuine achievement. The integrity layer is what comes next. In every package ecosystem, it comes next. The gap in concrete terms The metadata field is a free-form key-value map. The spec says: "Clients can use this to store additional properties not defined by the Agent Skills spec." metadata.author is a string any publisher can set to any value. metadata.author: anthropic could be written by Anthropic or by anyone with a keyboard.…