pith. sign in
Pith Number

pith:FZ7AO632

pith:2026:FZ7AO632HBV3FATAUUZ6Y44Y3P
not attested not anchored not stored refs resolved

Skills as Verifiable Artifacts: A Trust Schema and a Biconditional Correctness Criterion for Human-in-the-Loop Agent Runtimes

Alfredo Metere

A skill is untrusted code until verified, so the runtime enforces verification before granting trust instead of relying on signatures or origins.

arxiv:2605.00424 v2 · 2026-05-01 · cs.CR · cs.AI · cs.MA · cs.SE

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{FZ7AO632HBV3FATAUUZ6Y44Y3P}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

a skill is untrusted code until it is verified, and the runtime that loads it must enforce that default rather than infer trust from a signature, a clearance, or a registry of origin. Without skill verification, a human-in-the-loop (HITL) gate must fire on every irreversible call - which is operationally untenable and degrades into rubber-stamping at any non-trivial scale.

C2weakest assumption

That a verification procedure exists which can satisfy the biconditional correctness criterion when evaluated on an adversarial-ensemble exercise, thereby allowing the capability gate to restrict HITL interventions to only unverified skills.

C3one line summary

Proposes a trust schema including verification levels and a biconditional correctness criterion to verify skills in human-in-the-loop agent runtimes, reducing the need for constant oversight.

References

32 extracted · 32 resolved · 6 Pith anchors

[1] Maksym Andriushchenko, Alexandra Souly, Mateusz Dziemian, Derek Duenas, Maxwell Lin, Justin Wang, Dan Hendrycks, Andy Zou, Zico Kolter, Matt Fredrikson, Eric Winsor, Jerome Wynne, Yarin Gal, and Xande 2025
[2] Elliott Bell and Leonard J 1976
[3] Alex Birsan. 2021. Dependency Confusion: How I Hacked Into Apple, Mi- crosoft and Dozens of Other Companies. https://medium.com/@alex.birsan/ 15 dependency-confusion-4a5d60fec610. Disclosure of a supp 2021
[4] Justin Cappos, Justin Samuel, Scott Baker, and John H. Hartman. 2008. A Look in the Mirror: Attacks on Package Managers. InProceedings of the 15th ACM Conference on Computer and Communications Securit 2008
[5] Zhaorun Chen, Zhen Xiang, Chaowei Xiao, Dawn Song, and Bo Li. 2024. AgentPoison: Red- Teaming LLM Agents via Poisoning Memory or Knowledge Bases. InAdvances in Neural Information Processing Systems (N 2024
Receipt and verification
First computed 2026-05-20T00:00:40.131788Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

2e7e077b7a386bb28260a533ec7398dbce48b5a8e7c0746c15fed57f2acf1489

Aliases

arxiv: 2605.00424 · arxiv_version: 2605.00424v2 · doi: 10.48550/arxiv.2605.00424 · pith_short_12: FZ7AO632HBV3 · pith_short_16: FZ7AO632HBV3FATA · pith_short_8: FZ7AO632
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/FZ7AO632HBV3FATAUUZ6Y44Y3P \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 2e7e077b7a386bb28260a533ec7398dbce48b5a8e7c0746c15fed57f2acf1489
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "d2f972b2c94b933c62e4053c2b0259c857f7eb4f853dfcdb7e80ba1d1249f83f",
    "cross_cats_sorted": [
      "cs.AI",
      "cs.MA",
      "cs.SE"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-01T05:53:05Z",
    "title_canon_sha256": "596942a82eb1cbce8a681c3fb2b5e080134da0f45bfb7ea8c1707cba543e0e00"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.00424",
    "kind": "arxiv",
    "version": 2
  }
}