Decentralized Agent Skill Marketplace Architecture

Regulatory Framework

Skill marketplaces sit at the intersection of three converging regulatory regimes. The EU AI Act, which entered phased application across 2025–2027, treats general-purpose AI model providers as gatekeepers under Article 53: they must publish technical documentation, summaries of training content, copyright-compliance policies, and — critically for marketplaces — evaluations of systemic risk where applicable models are placed on the EU market. Article 25 imposes distributor obligations: any party making an AI system available on the EU market must verify that the upstream provider has met its obligations and that conformity markings, instructions, and authorized-representative chains are intact. A skill marketplace that lets third-party authors publish artifacts modifying agent behavior is, under Article 25's plain reading, a distributor of AI system components — and the platform inherits verification duties for every artifact transiting its surface.

NIST AI 100-2 (the second edition of the adversarial machine-learning taxonomy, finalized 2025) catalogs supply-chain attack classes that map directly onto skill marketplaces: poisoned skill artifacts, dependency-confusion attacks against skill manifests, authority impersonation, and post-publication artifact substitution. The taxonomy is the controlling reference for federal procurement reviews under FedRAMP and DoD CMMC alignment, and it explicitly frames the supply-chain integrity question as one of cryptographic provenance and revocation rather than reputation gating. Executive Order 14110 (still in force in modified form through the 2026 reauthorization) requires reporting on dual-use foundation model development above defined compute thresholds; skills that meaningfully extend the capability surface of a dual-use model fall within the reporting perimeter once the model-plus-skill composition crosses the threshold the underlying model alone does not.

Underneath these is the long-running principle of model-card transparency — formalized in the original Mitchell et al. (2019) work, embedded in Hugging Face Hub conventions, and now load-bearing under EU AI Act technical-documentation requirements. A skill is, architecturally, a behavioral delta against a base model; the model-card discipline therefore extends naturally to skill-cards, but only if the marketplace can bind a skill-card to the artifact it describes with cryptographic guarantees that survive distribution, mirroring, and offline deployment. None of the major commercial marketplaces currently provides that binding as an architectural property.

Architectural Requirement

A regulator-defensible skill marketplace must provide six architectural elements. First, an authoring-authority credential system: each skill publisher must hold a credential that is cryptographically distinct, revocable, and chained to a recognized governance root (a sovereign regulator, a sectoral certification body, an enterprise CA, or a federation operator). Second, artifact-to-authority binding: every published skill must carry a signature that binds its content hash, its declared capability surface, its declared dependencies, and its skill-card to the publishing authority's credential. Third, consumer-side admissibility: the consuming agent must evaluate, per inference, whether the authority behind a skill is admitted under the consumer's policy — not whether the platform admits it.

Fourth, dependency lineage and cascade revocation: skills compose, depend on shared library artifacts, and inherit trust from upstream models. When any link in that chain is revoked, every downstream artifact that depended on it must be deactivated structurally, not by manual incident response. Fifth, activation lineage: every activation of a skill against an inference must produce a credentialed observation that records which authority gated the activation, which policy was in force, what the consumer's admissibility decision was, and what the post-activation verification produced. Sixth, cross-authority composition: a single agent transaction frequently spans multiple skill authorities (a medical-credentialed reasoning skill composed with an enterprise workflow skill composed with a base-model vendor's safety skill); admissibility must compose across authorities without requiring a single root that all parties trust.

Why Procedural Compliance Fails

The dominant compliance posture across commercial skill marketplaces today is procedural: a publisher signs Terms of Service, the platform performs human review of submissions, the platform displays a verification badge, and the platform reserves the right to delist. This posture fails the regulatory framework above on every axis. Procedural review does not produce cryptographic provenance — when an EU AI Act audit asks who signed a specific deployed artifact, the answer is "the platform attests it came from publisher X," which is reputation, not evidence. Procedural review does not survive mirroring or offline distribution; the moment a skill leaves the platform's serving surface (enterprise on-prem, air-gapped deployment, sovereign cloud), the verification badge disappears and the artifact arrives unauthenticated.

Procedural revocation produces the supply-chain attack class that NIST AI 100-2 catalogs. A platform delists a malicious skill at T+0; consumers who fetched it before T+0 continue executing it because the platform's revocation is a UI change, not an enforced cryptographic property at the consumer. Dependency cascades fail similarly: when a foundational library skill is revoked, the platform has no structural mechanism to identify and deactivate the dozens of downstream skills that incorporated it — incident response becomes a forensic exercise across publisher logs. Cross-platform portability is impossible by construction; a skill admitted under Anthropic Skills carries no transferable evidence of that admission to OpenAI's GPT Store, so independent authors must re-litigate trust on every platform, and consumers cannot move workloads without losing the trust posture they relied on. Sovereign and regulated deployments — defense, healthcare, financial, expeditionary — are excluded entirely, because the procedural mechanism depends on the platform's continuous network presence as the verification authority. Each platform is, in effect, asking regulators to accept its operational reputation as a substitute for the cryptographic supply-chain controls that NIST, the EU, and federal procurement increasingly require.

What the AQ Primitive Provides

The AQ llm-skill-gating primitive provides cryptographic skill-to-authority binding as a structural property of the artifact rather than a property of any platform's serving surface. An authoring authority issues a credential anchored in a recognized governance root. The authority signs each published skill artifact such that the signature binds the artifact content, the declared capability surface, the dependency manifest, and the skill-card to the authority's credential. The signature travels with the artifact through any distribution channel — direct download, mirror, federated cache, sneakernet, sovereign on-prem — and the consumer verifies it independently of the original distribution path.

The consumer side runs admissibility-as-router. Rather than a platform deciding which skills are activatable, the consuming agent evaluates a credentialed governance policy against the artifact's authority chain at inference time. The consumer admits authorities (a medical regulator, an enterprise CA, a sectoral certification body) into its policy; activation proceeds only when an artifact's authority chain composes admissibly under that policy. Revocation is enforced cryptographically through short-lived credential epochs and revocation observations that propagate through the mesh; consumers gate activation on the freshness of the authority's credential, so a revoked authority's artifacts deactivate structurally at the next epoch boundary regardless of whether any platform mediates the consumer's connection. Dependency cascades operate by the same mechanism: each artifact's signature includes its dependency manifest, and admissibility evaluates the full transitive closure, so revocation of a foundational artifact deactivates every dependent without manual response. Every activation emits an audit-grade credentialed observation that captures the authority chain, the policy in force, the admissibility decision, and any post-activation verification — producing the lineage that EU AI Act technical documentation, NIST AI 100-2 supply-chain integrity, and federal post-incident reconstruction all separately require.

Compliance Mapping

The mapping to the converging regulatory regimes is direct. EU AI Act Article 53 GPAI obligations on technical documentation and risk evaluation are satisfied at the artifact layer by the signed skill-card bound to the authoring authority's credential; Article 25 distributor verification reduces to verifying the upstream signature chain rather than re-attesting reputation. NIST AI 100-2 supply-chain attack classes — poisoning, dependency confusion, authority impersonation, post-publication substitution — are each blocked by structural properties of the binding: poisoning requires a forged signature, dependency confusion requires forging a manifest entry, impersonation requires compromising the authority's credential root, substitution requires breaking the content hash. Each is reduced to the underlying cryptographic problem rather than left to procedural detection.

Executive Order 14110 dual-use reporting on capability-extending skills is supported by the audit-grade activation lineage: the credentialed observations record exactly which model-plus-skill compositions executed at which compute scales, producing the structural evidence reporting requires. Model-card transparency under EU AI Act technical-documentation rules is supported by the signed skill-card binding. FedRAMP and CMMC supply-chain integrity controls reduce to verifying the consumer's admission policy and the freshness of the revocation epoch. Sovereign and air-gapped deployments — historically excluded from the skill economy because procedural mechanisms require platform connectivity — gain participation, because the binding and admission are properties of the artifact and the policy, not of any platform's network presence.

Adoption Pathway

Adoption follows the regulatory pressure gradient. Independent skill authors integrate the primitive first because it removes the per-platform integration tax: a single signed artifact reaches consumers across Anthropic, OpenAI, Google, Microsoft, Hugging Face, and sovereign deployments without re-litigating trust on each. Sectoral authorities (medical certification bodies, financial regulators, defense accreditation authorities) adopt next because the credential structure lets them gate sector-specific skill admission with their own root rather than delegating to commercial platforms. Enterprise consumers adopt because the admission policy lets them centralize skill governance across the heterogeneous agent platforms their lines of business deploy.

Commercial platforms adopt last and selectively, integrating the primitive as a verification-and-distribution layer beneath their existing serving surface — preserving their distribution role while shedding the structural compliance burden that EU AI Act distributor duties and NIST AI 100-2 supply-chain controls place on operator-mediated marketplaces. The end state is a skill economy in which authority and admission are cryptographic, distribution is plural, and platform operators are optional intermediaries rather than required gates. The AQ primitive provides the architectural substrate that the regulatory framework is independently converging on, ahead of the consolidation pressure that the framework will produce.