skillx.md · marketplace · publish

Publish a signed skill

Your skill stays on your domain — your domain is the trust root. skillx verifies the signature, scans the content, and lists it. Listing is free. Three steps:

1. Sign it

# get the CLI and make a keypair (once):
curl -fsSLO https://skillx.md/skillx.py
python3 skillx.py keygen --out signing.pem --pub-jwk signing.jwk

# sign your SKILL.md — kid points at YOUR domain:
python3 skillx.py sign --key signing.pem \
  --kid "did:web:example.com#skills-2026" \
  --url "https://example.com/SKILL.md" SKILL.md

Keep signing.pem secret (a password manager or vault). Everything else is public.

2. Host three files on your domain

https://example.com/SKILL.md                  # the skill (unchanged by signing)
https://example.com/SKILL.md.sig              # the signature sidecar
https://example.com/.well-known/did.json      # your public key document

Minimal did.json — paste your JWK from step 1 into publicKeyJwk:

{
  "@context": ["https://www.w3.org/ns/did/v1",
               "https://w3id.org/security/suites/jws-2020/v1"],
  "id": "did:web:example.com",
  "verificationMethod": [{
    "id": "did:web:example.com#skills-2026",
    "type": "JsonWebKey2020",
    "controller": "did:web:example.com",
    "publicKeyJwk": { "kty": "EC", "crv": "P-256", "x": "…", "y": "…" }
  }],
  "assertionMethod": ["did:web:example.com#skills-2026"]
}

Check your work — this must print VERIFIED:

python3 skillx.py verify --scan https://example.com/SKILL.md

3. Submit it

  1. Email hello@holdingco.com with your skill URL (a pull-request flow against the public registry is landing shortly — the registry and its append-only transparency log are git-native by design).
  2. We re-verify the signature, run a content scan, and add your entry to the registry and the transparency log.
  3. Optional: become a Verified Publisher ($9/yr founding) — identity-checked badge on every listing, linked across the User Agency Web.

Ground rules: a signature proves who published, never that content is safe — we scan, and listings that fail re-verification are pulled and annotated in the log, not silently deleted. Spec: spec.md.