Aegis

Aegis (Safe Skills) is a trust check that runs before an AI agent or developer loads an agent skill (a SKILL.md file). Every skill gets a human-readable ENS name whose records pin the exact content hash of its reviewed file. The skill is reviewed by an LLM running inside a Chainlink CRE AI, and the safety verdict is written back to the ENS name. Before installing, the consumer resolves the name, re-hashes the file locally, and a gate blocks on any hash mismatch, a failing or missing verdict, or a revocation. A Ledger hardware signature authorizes a policy override but tampering can never be overridden. The result: agents can't be hijacked by a silently swapped or poisoned skill, and you get a verifiable audit trail of exactly what ran.

Chainlink CRE is the heart of Aegis. A CRE workflow runs the skill review inside a TEE, it fetches the SKILL.md, hashes it, has an LLM score it for prompt injection and capability over-reach, and writes a signed verdict back on-chain. Because it's a TEE, private/proprietary skills get reviewed without ever leaving the enclave. A Foundry contract emits an event that triggers the whole job, no centralized reviewer to trust. ENS is our trust registry. Every skill is a human-readable ENS v2 name (e.g. weather.acme.safeskills.eth) whose text records pin the exact content hash and the CRE verdict. Resolve the name, re-hash the file locally, and any mismatch is blocked, ENS turns "which version actually ran?" into a one-lookup answer. Live on Sepolia, resolved with viem. Ledger is the human gate. When a skill falls below your policy, installing it requires a hardware signature on your Ledger, every override is human-present and auditable. And the one thing a signature can't override is tampering: if the bytes don't match the pin, it's blocked, full stop. Tied together in a TypeScript pnpm/turbo monorepo with a ports-and-adapters core (@aegis/core), a safeskill SDK + CLI for agents, and a Next.js explorer on Vercel.