What changed
HYPOTHESIS (asserted in convergence description, not supported by the attached signals): agent behavioral configuration has moved into fetchable third-party skill files distributed via ad-hoc GitHub repos and vendor blogs with no signing, versioning, or provenance β the npm-supply-chain preconditions, but the payload steers agents holding repo and database access. Neither provided signal (a Chrome speculation-rules experiment; a one-off robot wheelchair build) actually evidences this claim; the causal chain cites signal IDs 177/488/1917 that were not included in the input.
Why now
MCP standardization and rapid coding-agent adoption mean orgs are ingesting unsigned third-party behavior files today, before any incumbent has shipped provenance controls. But 'why now' cuts both ways: the ecosystem is so early that the natural owners (Anthropic, GitHub, npm, Socket) have simply not gotten to it yet β this is a window, not a moat.
Converging signals
Claimed: community skill repos (addyosmani/agent-skills), vendor-published skills (Supabase), MCP auto-loading of third-party capability definitions. Cluster c3 bridges ai/complaint/dev/platform with cohesion 0.898. Caveat: the two signals actually attached to this input are irrelevant to the thesis, so the convergence rests entirely on the description text β treat the whole premise as inference, not fact.
Customer pain
HYPOTHESIS: security teams fear prompt-injection/supply-chain compromise via skills their agents fetch. demand_evidence is EMPTY β zero complaints, zero job postings, zero mandates were retrieved. There is no provided evidence that anyone is currently in pain or paying for this.
Who pays
Claimed: security-conscious engineering orgs adopting coding agents at scale; secondarily skill publishers wanting trusted distribution. Unproven. Worse, the buyer is a security org β the single hardest buyer for an unknown solo vendor, because the product's entire value proposition is trust, which a no-name one-person registry does not have.
Solved today
Orgs either don't solve it (copy-paste skills from GitHub after eyeball review), pin git commits manually, or block third-party skills entirely. Adjacent spend exists in dependency supply-chain tools (Socket, Snyk, Chainguard, sigstore/npm provenance) β but that spend belongs to incumbents perfectly positioned to extend into skills.
Why current solutions are bad
Manual review doesn't scale and git pinning gives integrity without provenance or diff-on-update review. Real gap, but 'bad current solution' is only half the equation β the buyer must also be unable to wait, and nothing here shows urgency.
Proposed product
A minimal registry: publishers sign skills (sigstore-style), consumers pin semver, updates surface human-readable diffs for approval, and an allowlist proxy sits between enterprise agents and skill sources. Per-seat or per-org pricing.
MVP version
CLI + hosted index: `skillreg publish` (keyless signing via OIDC), `skillreg install pkg@1.2.0` with signature verification, a diff-review web UI, and an HTTP proxy that blocks unpinned/unsigned fetches. Solo-buildable in 4-8 weeks on existing sigstore tooling.
30-day build
Build signing/pinning CLI and index; mirror-and-sign the top ~200 public skills to seed the registry; publish a 'malicious skill' proof-of-concept writeup demonstrating an agent exfiltrating a repo via a poisoned skill file to create the fear the product answers.
60-day build
Ship the enterprise allowlist proxy; approach 20 platform/security engineers at companies known to run Claude Code/Cursor at scale; offer free org tier to 5 design partners in exchange for public logos.
90-day revenue plan
Convert design partners to $99-$499/mo org plans. Honest assessment: with no demand evidence and a trust-sale to security teams, first paid conversion inside 90 days is unlikely; 180+ days is the realistic floor, and the instruction to not invent demand applies.
Distribution path
Security-community content (the poisoned-skill PoC is the wedge), HN/lobste.rs, MCP/agent-dev Discords, conference CFPs. All plausible but slow, and content-driven security credibility is exactly the 'multi-year trust-building play' this founder avoids.
Pricing hypothesis
Free for publishers and individuals; $99-$499/mo per org for the proxy/allowlist tier; per-seat at $10-20 for larger orgs.
Technical difficulty
Moderate and solo-feasible: sigstore, semver resolution, diff UI, and a proxy are all well-trodden. The hard part is not the software β it's becoming a party that security teams trust more than GitHub.
Legal / regulatory risk
Low direct legal risk. Reputational/liability exposure if a signed skill turns out malicious (signing attests identity, not safety β buyers will conflate the two).
Platform dependency
Severe. Anthropic, GitHub, or npm can ship native skill signing/registry and erase the product overnight; MCP spec evolution could standardize provenance in-protocol. The registry model also has network effects (worthless until publishers publish), which this founder explicitly avoids.
Founder fit
Poor. No government mandate, no forced buyer, no per-filing transaction β this is dev-tool security infrastructure sold on credibility to engineering/security orgs, orthogonal to his FMCSA-portal edge, recycling/ops background, and demonstrated-value (not trust-sale) selling style. The high-confidence lesson that government-portal mandate shapes fit him best (0.80) applies in reverse here.
Breakout potential
If agent skills become the next npm, the trusted registry is a venture-scale asset β but that outcome is exactly why incumbents will take it, and why the winner will likely be whoever owns the agent runtime, not an independent registry.
Final recommendation
KILL for this founder β for the right reasons: no evidenced buyer, a trust-sale channel he is structurally weakest in, network-effect registry dynamics he avoids, and first-order incumbent crush risk. The underlying trend is real and worth tracking; revisit only if demand evidence appears (job postings for 'agent security', enterprise complaints, or a compliance framework naming agent-skill provenance) or if a standard emerges he can build a compliance/audit tool against.
Next action
Add monitoring only: track 'MCP security', 'skill signing', 'agent supply chain' in ingestion, and watch for NIST/SOC2/EU-AI-Act language compelling agent-input provenance β a regulatory mandate here would flip this from kill to high-fit overnight.