An economic trust signal for AI agent skills.
Developers stake real capital and declare permissions on-chain. Agents query stake, scope, and history to make autonomous trust decisions. Registry is permissionless; slashing is progressively decentralized (committee → arbitration), because fully decentralized slashing on day one is gameable.
No trust layer exists. Every current approach is centralized or free to fake. Neither works for autonomous agents making millisecond decisions.
| Approach | Central Authority? | Cost to Fake | Real-time? | Scales? |
|---|---|---|---|---|
| App Stores | Yes | Low | No (review queue) | No |
| Audits | Yes | Medium (one-time) | No (point-in-time) | No |
| Reputation | No | Zero | Sort of | Gaming scales too |
| SkillBond | No | Real capital at risk | Yes (cached) | Permissionless |
Static trust is wrong. A skill safe for weather is not safe for wallets. SkillBond composes three signals into contextual, queryable trust.
How much capital will the developer lose? The bond stays at risk for the skill's entire lifetime — continuous accountability, not point-in-time. During withdrawal (7-day cooldown), skill status changes to WITHDRAWING — agents see this and can stop loading. V2 roadmap: yield-bearing bonds via vetted lending protocols; DeFi composability risk acknowledged as a tradeoff. Roadmap
A structured on-chain declaration: data reads, API calls, filesystem writes, cost. The manifest is immutable and auditable. Violations that meet the defined evidence standard become slashable events. Economic enforcement, not runtime enforcement — the manifest records what was declared, with real capital behind it.
Scopes + economic penaltyTime without incident. Agent-load count. Prior slashing events. History compounds into reputation anchored to capital. History reduces unknown risk but does not eliminate targeted, high-value attacks — agents should raise thresholds by task criticality. Recommended pattern: weight recent history more heavily than lifetime, and re-evaluate trust when a skill's declared permissions change.
Track recordStake alone is gameable by well-funded attackers. Permissions alone are cheap talk. History alone is a cold-start problem. The composition creates a robust trust signal. An agent might require ≥$5K stake AND ≤2 permissions AND ≥6 months history for finance — but accept $100 with any clean history for a weather query. Context shapes the threshold. The agent decides.
The full lifecycle. Skill registration with manifest, agent discovery with cached lookups, policy-based rejection, and a slash triggered by a verifiable manifest violation.
The evidence standard is the protocol's most important design surface. Slashing is only triggered when evidence meets an explicit, published verification standard. This standard evolves.
Manifest breach: skill declared writes: none but verifier demonstrates egress to unauthorized endpoint. Evidence: signed monitor report or deterministic reproduction steps submitted on-chain.
Hard-coded exfil/backdoor: signature-based detection of known malicious patterns. Evidence: code hash + pattern match.
NOT slashable: stochastic errors, hallucinations, bad output quality, performance issues, or any behavior requiring subjective judgment. These are reputation signals only.
Reviewed by transparent committee with published criteria. Decisions and evidence posted on-chain. Unfair slash? Explicit appeals mechanism: developer posts appeals bond; if appeal succeeds, capital restored from insurance fund, original decision overturned on-chain.
Sandbox traces: attested execution traces from TEE / deterministic runner proving manifest violation.
On-chain attestations: approved monitoring infrastructure submitting signed attestations of observed behavior.
zk-proof: zero-knowledge proof of manifest violation (longer-term research).
Arbitration: transition from committee to decentralized arbitration (Kleros-compatible).
No central authority. More stake × more time × cleaner history = higher tier. Tiers are defaults — agents enforce policy-based thresholds and may require stake to scale with permission risk (e.g., network-unrestricted requires 10×). Sponsorship bonds let backers boost promising skills. Live
| Tier | Min Stake | Min Age | Signal |
|---|---|---|---|
| × Revoked | — | — | Unregistered or slashed. Do not load. |
| • Basic | $25 USDC | 0 days | Entry-level bond. New devs start here. Low-risk tasks. |
| ♦ Standard | $500 USDC | 30 days | Serious commitment. Most agents should require this. |
| ★ Premium | $10,000 USDC | 90 days | Maximum trust. Financial ops, critical infrastructure. |
Every queryTrust call costs 0.05 USDC. Fees split automatically on-chain — skill owners earn for building trusted skills, while the protocol funds its own insurance layer.
| Action | Cost | To Skill Owner | To Insurance |
|---|---|---|---|
| queryTrust(skillId) | 0.05 USDC | 70% (0.035) | 30% (0.015) |
Agents pay per trust query. High-traffic skills generate meaningful revenue for their developers. 1,000 queries/day = $35/day to the skill owner. The protocol self-funds its insurance pool from the 30% cut — no external subsidy needed.
Accumulated query fees are claimable anytime via claimFees(skillId). No lockup, no vesting. Build a trusted skill, maintain it, earn from every agent that queries it. Staking becomes an investment, not a cost.
We asked: if you are an autonomous agent with 5,000 USDC in your wallet, why would you downvote SkillBond? Here are the honest objections and our mitigations.
10 skills = 5,000 USDC locked and idle. That is capital not used for arbitrage, trading, or compute. Every day bonded is yield left on the table. Agents optimize for capital efficiency.
Yield-bearing bonds. Roadmap Integrates Aave/Compound so bonded USDC earns interest while staked (vetted, battle-tested lending protocols only — DeFi composability risk acknowledged). Until integration ships, bonds are withdrawable with a 7-day cooldown. During cooldown, skill status changes to WITHDRAWING, visible to all agents — any sane policy stops loading a skill whose developer is pulling capital. No silent rug-pulls.
A competitor spins up a disposable wallet, posts a small whistleblower bond, and flags me before a market event. They lose a small bond but I get a risk signal attached during a critical window.
Whistleblower bond = 50% of target's stake. Live Flagging a $1,000-staked skill costs $500 upfront. If the flag is rejected, the whistleblower gets slashed. Griefing is EV-negative. Flag adds a risk signal — agents weight it per own policy. Verifier quorum requires distinct bonded identities (not anonymous wallets); verifiers maintain their own stake slashed for false flags. Collusion risk is addressed by committee review against the published evidence standard.
My skill hallucinates at temperature 0.7. Someone flags it as "data exfiltration." The admin agrees. I get slashed for a stochastic error that every LLM produces. Subjectivity in slashing is a protocol-killer.
Defined evidence standard. Live SkillBond slashes only for rule-based violations under an explicit evidence standard: (1) manifest violations with reproducible evidence — signed monitor report or deterministic reproduction, (2) hard-coded exfil/backdoor matching signature-based rules. Stochastic errors and hallucinations are explicitly excluded. Subjective concerns become reputation signals, not slashing events. V2 roadmap: attested sandbox traces and on-chain attestations. Roadmap
Base RPC latency is 200-500ms. Chaining 10 skills adds 2-5 seconds. In arbitrage, that means losing the race. An agent will route around any trust layer that makes it slower.
Local cache with event subscription. Live SDK syncs the trust registry via event subscription (new registrations, slashing, revocations) plus periodic full sync (configurable, default 1h). Cache hit is memory-speed (sub-ms to low-ms depending on runtime and skill count). Cache miss falls back to RPC with ~200-500ms latency. Agents choose their staleness tolerance.
Only established agents can afford $10K Premium bonds. Innovative lean agents get stuck at Basic and are ignored. The protocol becomes a moat for incumbents, not a meritocracy.
Sponsorship bonds. Live Third parties can co-stake USDC on any skill via sponsorSkill(skillId, amount). Sponsored capital counts toward tier thresholds — a $25 self-stake + $475 sponsor = Standard tier. Sponsors share slashing risk: if the skill is slashed, sponsor capital is slashed too. Withdrawable after 7-day cooldown via withdrawSponsorship(). Solves the capital barrier: DAOs, accelerators, or backers can boost promising skills without the developer needing $10K upfront.
Credibility comes from precision, not overclaiming. Here is exactly what SkillBond provides today and what remains outside its scope.
claimFees().Forks can copy code and mirror public data, but cannot instantly replicate integrations, defaults, and the social/economic Schelling point of where agents check trust.
$25K staked across 15 skills with 18 months clean history. A fork can mirror state, but rebuilding that history takes 18 months. Coordination cost of migration increases monthly.
10,000 agents querying SkillBond = devs must be on SkillBond. Classic two-sided network: devs go where agents are, agents go where devs are. First to critical mass wins disproportionately.
Slashing events, permission violations, cross-skill patterns, agent loading decisions. Dataset grows superlinearly. Fork starts at zero. Data enables increasingly sophisticated trust scoring over time.
Once SkillBond is the default trust check in LangChain, CrewAI, AutoGPT — removing it requires active effort. Defaults are extraordinarily sticky in developer tooling. The goal: ship in the box.
Every protocol claims security, decentralization, and trustlessness. Most are overclaiming on at least one. Here are our actual failure modes and plans for each.
An attacker with $100K can stake, build history, then exploit. If the exploit is worth $10M, the slash is a business cost.
A skill declaring "read-only" that secretly writes data is not caught by the protocol itself — only by verifiers and monitoring tools.
50 skills and 200 agents is not useful. 50,000 skills and 2M agents is a standard. The gap is the existential risk.
Centralized slashing is capturable. Unfair slashes destroy developer trust and capital with no recourse.
"Observed egress" depends on who observed and how. Without attested execution, evidence is a claim, not a proof.
Every design choice trades something. Here is what we chose, what we gave up, and why.
Native tokens create circular incentives and invite speculation that distorts trust signals. USDC means $10K staked is $10K at risk. No ambiguity. Governance token may come later — the trust layer stays stable-denominated.
Anyone can register. Low-quality skills will exist. Quality filtering happens agent-side — the registry is a neutral data layer. Credible neutrality avoids governance capture from curation.
Stake, permissions, history. More sophisticated models are possible — we ship simple and auditable first. Premature sophistication in trust models creates systems nobody trusts.
Low fees, Coinbase ecosystem, growing agent activity. Cross-chain trust aggregation introduces bridge risk. Solve it when there is actual demand, not for theoretical interoperability.
Three phases. Phase 1 metric is bonded skills, not revenue. Phase 3 emerges from sufficient adoption, not marketing campaigns.
The cold-start is the existential risk. The specific wedge: (1) Start with MCP tool registries — concentrated community of skill devs with no existing trust layer, small surface area, high signal. (2) Drop-in SDK with pre-built policy templates for common tasks (weather, calendar, finance) — one function call to integrate. (3) Incentivize early verifiers with bounty pool for first 100 verified skills; verifier staking creates a self-sustaining audit market once bootstrapped.
Target the long tail of skill devs who have no way to signal trust. Open-source SDK, $25 min stake, frictionless CLI. Focus on 1-2 ecosystems first.
Lightweight trust-check for LangChain, CrewAI, AutoGPT. One function call, no vendor lock-in. Become default-on in 2+ frameworks.
Agents without SkillBond look negligent. Investors ask "do you use it?" Insurance layers reference bonded status. This phase emerges from adoption, not mandates.
Makes trust expensive to fake and cheap to verify. Three signals. Defined evidence standard. Progressive decentralization. Every objection addressed.