Current large language model (LLM) skills lack reliable isolation from trusted instructions at runtime, and their executable components may inadvertently trigger privileged operations, rendering them vulnerable to injection, tampering, and “rug-pull”–style supply-chain attacks. To address this, this work proposes SIGIL, a framework that establishes the first end-to-end cryptographically bound security mechanism spanning skill publication to execution. SIGIL leverages a decentralized on-chain registry to host skills, enforces permission manifests and integrity checks via an embedded verifiable loader, and incorporates a DAO-based audit committee with a staking-based penalty model. Supporting four skill publication types and pluggable auditing methods, the system demonstrates robust defense against six attack classes across 1,023 real-world skills, achieving batch verification latency under 86 milliseconds while maintaining high security and practical performance.

Large language model (LLM) ecosystems such as Claude Code and ChatGPT increasingly rely on skills: packages of natural-language instructions and executable tools. Once in the LLM's context, skill content cannot be reliably separated from trusted instructions, and a skill's executable side can invoke privileged actions, exposing the skill supply chain to injection, tampering, and rug-pull attacks. Existing defenses are stage-bound: centralized signing, audit reports unbound from the runtime artifact, or policy engines that cannot attest to what was approved. We present SIGIL, the first framework that seals the audit-runtime gap for LLM skills. SIGIL delivers verifiable hosting through a tamper-evident, decentralized on-chain registry from which LLMs fetch skills directly. The registry admits four publication types, Transparent, Licensed, Sealed, and Committed, spanning plaintext public distribution, monetized access, custodial use, and off-chain workflows; before admission, every skill is vetted by a Decentralized Autonomous Organization (DAO) audit committee that supports pluggable auditing methods under a stake-and-slash economic model. At load time, SIGIL delivers verified loading through a skill verification protocol executed by a Skill Verification Loader (SVL) embedded as the mandatory loading path: the SVL retrieves and decrypts the skill as its type requires, verifies its integrity against the on-chain record, and enforces its permission manifest before context injection. We evaluate SIGIL on a real-world deployment against 1,023 in-the-wild skills spanning six attack types. At load time, the SVL verifies each skill's integrity against its on-chain record and enforces its approved permission manifest, completing batched verification under 86 ms. Together, these results show that LLM skills can be cryptographically bound from publication through runtime at practical cost.