agent-supply-chainlisted

Verify supply chain integrity for AI agent plugins, tools, and dependencies. Use this skill when: - Generating SHA-256 integrity manifests for agent plugins or tool packages - Verifying that installed plugins match their published manifests - Detecting tampered, modified, or untracked files in agent tool directories - Auditing dependency pinning and version policies for agent components - Building provenance chains for agent plugin promotion (dev → staging → production) - Any request like "verify plugin integrity", "generate manifest", "check supply chain", or "sign this plugin"
mouadja02/skills · ★ 3 · AI & Automation · score 66

Install: claude install-skill mouadja02/skills

# Agent Supply Chain Integrity Generate and verify integrity manifests for AI agent plugins and tools. Detect tampering, enforce version pinning, and establish supply chain provenance. ## Overview Agent plugins and MCP servers have the same supply chain risks as npm packages or container images — except the ecosystem has no equivalent of npm provenance, Sigstore, or SLSA. This skill fills that gap. ``` Plugin Directory → Hash All Files (SHA-256) → Generate INTEGRITY.json ↓ Later: Plugin Directory → Re-Hash Files → Compare Against INTEGRITY.json ↓ Match? VERIFIED : TAMPERED ``` ## When to Use - Before promoting a plugin from development to production - During code review of plugin PRs - As a CI step to verify no files were modified after review - When auditing third-party agent tools or MCP servers - Building a plugin marketplace with integrity requirements --- ## Pattern 1: Generate Integrity Manifest Create a deterministic `INTEGRITY.json` with SHA-256 hashes of all plugin files. ```python import hashlib import json from datetime import datetime, timezone from pathlib import Path EXCLUDE_DIRS = {".git", "__pycache__", "node_modules", ".venv", ".pytest_cache"} EXCLUDE_FILES = {".DS_Store", "Thumbs.db", "INTEGRITY.json"} def hash_file(path: Path) -> str: """Compute SHA-256 hex digest of a file.""" h = hashlib.sha2