Skilllibrary provenance-audit
Audit a skill or artifact's origin chain: where it came from, who authored it, what license applies, what modifications were made, and what trust level to assign. Use when evaluating external skills for adoption, auditing existing skills for license compliance, or establishing trust levels before execution. Do not use when creating new skills from scratch (provenance is 'authored here') or for trusted internal sources.
install
source · Clone the upstream repo
git clone https://github.com/merceralex397-collab/skilllibrary
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/merceralex397-collab/skilllibrary "$T" && mkdir -p ~/.claude/skills && cp -r "$T/01-package-scaffolding/provenance-audit" ~/.claude/skills/merceralex397-collab-skilllibrary-provenance-audit && rm -rf "$T"
manifest:
01-package-scaffolding/provenance-audit/SKILL.mdsource content
Provenance Audit
Audits a skill's origin chain and assigns a trust level.
Procedure
1. Identify origin type
| Origin Type | Description | Default Trust |
|---|---|---|
| Created in this repo | High |
| Copied from external, modified | Medium |
| Copied from external, unmodified | Medium |
| AI-generated from requirements | Low |
| Origin unclear | Untrusted |
2. Extract provenance metadata
From SKILL.md frontmatter:
namesourcelicenseFrom git history:
# First commit of skill git log --follow --format="%H %an %ad %s" -- SKILL.md | tail -1 # All modifications git log --follow --oneline -- SKILL.md
3. Verify source claims
If
source# Fetch and compare original curl -s "<original-raw-url>" > /tmp/original.md diff SKILL.md /tmp/original.md # If different → forked (not imported)
4. Check license compatibility
| License | Category | Action |
|---|---|---|
| Apache-2.0, MIT, BSD-* | Permissive | OK for any use |
| GPL-3.0, AGPL-3.0 | Copyleft | Check derivative work implications |
| (none) | Unknown | Do not adopt — flag for manual review |
5. Assign trust level
| Origin | License OK | Source Verified | Mods Reviewed | Trust |
|---|---|---|---|---|
| authored | N/A | N/A | N/A | HIGH |
| forked | YES | YES | YES | HIGH |
| forked | YES | YES | NO | MEDIUM |
| imported | YES | YES | N/A | MEDIUM |
| generated | N/A | N/A | YES | MEDIUM |
| unknown | * | * | * | UNTRUSTED |
6. Document provenance in skill
Add provenance section to SKILL.md:
# Provenance - Origin: [type] from [URL or "this repo"] - License: [SPDX] - Modifications: [list or "none"] - Last audit: [ISO date] - Trust level: [HIGH|MEDIUM|LOW|UNTRUSTED]
Output contract
# Provenance Audit: [skill-name] ## Origin - Type: [authored|forked|imported|generated|unknown] - Source: [URL or "this repo"] - License: [SPDX] ## Trust Assessment - License: [PASS|WARN|FAIL] - Source verified: [YES|NO|UNABLE] - Modifications reviewed: [YES|NO|N/A] - Overall trust: [HIGH|MEDIUM|LOW|UNTRUSTED] ## Recommendation [Action to take]
Failure handling
- Cannot reach source URL: Mark "source unverified", lower trust level
- License unclear: Flag for manual review, do not auto-adopt
- Conflicting provenance claims: Report conflict, require manual resolution
- Skill has no frontmatter: Treat as unknown origin, untrusted
References
- SPDX license identifiers: https://spdx.org/licenses/