Convergence Radar Convergence Engine

← Feed

F

Signed Skills Registry β€” supply-chain trust layer for AI agent instruction files

18/100

A signed, version-pinned registry and allowlist proxy for agent skill files, sold per-seat to engineering orgs letting coding agents auto-load third-party instructions.

Kill. Β· created 2026-07-10 04:06 UTC

aisaasapilong-termrevisit later

Scorecard

newness 7/10
convergence 4/10
demand evidence 1/10
existing spend 1/10
solo feasibility 6/10
speed to mvp 7/10
speed to revenue 2/10
distribution 3/10
competitive gap 3/10
expansion 6/10
founder fit 2/10

Penalty flags
enterprise sales long trust cycle no clear buyer no urgent pain platform policy risk (βˆ’22 from raw 40)

Opportunity brief

What changed
HYPOTHESIS (asserted in convergence description, not supported by the attached signals): agent behavioral configuration has moved into fetchable third-party skill files distributed via ad-hoc GitHub repos and vendor blogs with no signing, versioning, or provenance β€” the npm-supply-chain preconditions, but the payload steers agents holding repo and database access. Neither provided signal (a Chrome speculation-rules experiment; a one-off robot wheelchair build) actually evidences this claim; the causal chain cites signal IDs 177/488/1917 that were not included in the input.
Why now
MCP standardization and rapid coding-agent adoption mean orgs are ingesting unsigned third-party behavior files today, before any incumbent has shipped provenance controls. But 'why now' cuts both ways: the ecosystem is so early that the natural owners (Anthropic, GitHub, npm, Socket) have simply not gotten to it yet β€” this is a window, not a moat.
Converging signals
Claimed: community skill repos (addyosmani/agent-skills), vendor-published skills (Supabase), MCP auto-loading of third-party capability definitions. Cluster c3 bridges ai/complaint/dev/platform with cohesion 0.898. Caveat: the two signals actually attached to this input are irrelevant to the thesis, so the convergence rests entirely on the description text β€” treat the whole premise as inference, not fact.
Customer pain
HYPOTHESIS: security teams fear prompt-injection/supply-chain compromise via skills their agents fetch. demand_evidence is EMPTY β€” zero complaints, zero job postings, zero mandates were retrieved. There is no provided evidence that anyone is currently in pain or paying for this.
Who pays
Claimed: security-conscious engineering orgs adopting coding agents at scale; secondarily skill publishers wanting trusted distribution. Unproven. Worse, the buyer is a security org β€” the single hardest buyer for an unknown solo vendor, because the product's entire value proposition is trust, which a no-name one-person registry does not have.
Solved today
Orgs either don't solve it (copy-paste skills from GitHub after eyeball review), pin git commits manually, or block third-party skills entirely. Adjacent spend exists in dependency supply-chain tools (Socket, Snyk, Chainguard, sigstore/npm provenance) β€” but that spend belongs to incumbents perfectly positioned to extend into skills.
Why current solutions are bad
Manual review doesn't scale and git pinning gives integrity without provenance or diff-on-update review. Real gap, but 'bad current solution' is only half the equation β€” the buyer must also be unable to wait, and nothing here shows urgency.
Proposed product
A minimal registry: publishers sign skills (sigstore-style), consumers pin semver, updates surface human-readable diffs for approval, and an allowlist proxy sits between enterprise agents and skill sources. Per-seat or per-org pricing.
MVP version
CLI + hosted index: `skillreg publish` (keyless signing via OIDC), `skillreg install pkg@1.2.0` with signature verification, a diff-review web UI, and an HTTP proxy that blocks unpinned/unsigned fetches. Solo-buildable in 4-8 weeks on existing sigstore tooling.
30-day build
Build signing/pinning CLI and index; mirror-and-sign the top ~200 public skills to seed the registry; publish a 'malicious skill' proof-of-concept writeup demonstrating an agent exfiltrating a repo via a poisoned skill file to create the fear the product answers.
60-day build
Ship the enterprise allowlist proxy; approach 20 platform/security engineers at companies known to run Claude Code/Cursor at scale; offer free org tier to 5 design partners in exchange for public logos.
90-day revenue plan
Convert design partners to $99-$499/mo org plans. Honest assessment: with no demand evidence and a trust-sale to security teams, first paid conversion inside 90 days is unlikely; 180+ days is the realistic floor, and the instruction to not invent demand applies.
Distribution path
Security-community content (the poisoned-skill PoC is the wedge), HN/lobste.rs, MCP/agent-dev Discords, conference CFPs. All plausible but slow, and content-driven security credibility is exactly the 'multi-year trust-building play' this founder avoids.
Pricing hypothesis
Free for publishers and individuals; $99-$499/mo per org for the proxy/allowlist tier; per-seat at $10-20 for larger orgs.
Technical difficulty
Moderate and solo-feasible: sigstore, semver resolution, diff UI, and a proxy are all well-trodden. The hard part is not the software β€” it's becoming a party that security teams trust more than GitHub.
Legal / regulatory risk
Low direct legal risk. Reputational/liability exposure if a signed skill turns out malicious (signing attests identity, not safety β€” buyers will conflate the two).
Platform dependency
Severe. Anthropic, GitHub, or npm can ship native skill signing/registry and erase the product overnight; MCP spec evolution could standardize provenance in-protocol. The registry model also has network effects (worthless until publishers publish), which this founder explicitly avoids.
Founder fit
Poor. No government mandate, no forced buyer, no per-filing transaction β€” this is dev-tool security infrastructure sold on credibility to engineering/security orgs, orthogonal to his FMCSA-portal edge, recycling/ops background, and demonstrated-value (not trust-sale) selling style. The high-confidence lesson that government-portal mandate shapes fit him best (0.80) applies in reverse here.
Breakout potential
If agent skills become the next npm, the trusted registry is a venture-scale asset β€” but that outcome is exactly why incumbents will take it, and why the winner will likely be whoever owns the agent runtime, not an independent registry.
Final recommendation
KILL for this founder β€” for the right reasons: no evidenced buyer, a trust-sale channel he is structurally weakest in, network-effect registry dynamics he avoids, and first-order incumbent crush risk. The underlying trend is real and worth tracking; revisit only if demand evidence appears (job postings for 'agent security', enterprise complaints, or a compliance framework naming agent-skill provenance) or if a standard emerges he can build a compliance/audit tool against.
Next action
Add monitoring only: track 'MCP security', 'skill signing', 'agent supply chain' in ingestion, and watch for NIST/SOC2/EU-AI-Act language compelling agent-input provenance β€” a regulatory mandate here would flip this from kill to high-fit overnight.

Kill arguments (adversarial)

Competitors

β€’ Socket (link) β€” Supply-chain security for open-source packages; obvious adjacent expansion into agent skills/MCP servers.
β€’ sigstore (OpenSSF) (link) β€” Free signing infrastructure any incumbent can adopt to solve this natively; also the substrate a solo build would sit on.
β€’ GitHub / npm provenance (link) β€” Owns distribution of skill repos today; native attestation for skills would be a feature announcement, not a product.
β€’ Anthropic / MCP ecosystem (link) β€” Runtime owner; an official signed-skill or MCP-registry mechanism eliminates the independent registry's reason to exist.

Source citations (facts)

β€’ [WEB API] Speculation Rules - moderate viewport heuristics controls β€” Provided as a converging signal but is unrelated to agent skill files; noted to flag that the attached signals do not substantiate the convergence thesis.
β€’ Son Modifies Industrial Robot to Take His Father Places Wheelchairs Can't β€” Provided as a converging signal but is unrelated to agent skill supply-chain risk; the core convergence claims therefore rest on the description text alone and are labeled hypothesis.

Actions