🗝
Analysis & Verification
fingerprint
Discover SKILL.md files, compute SHA-256 content hashes, extract or inject watermarks, and produce a FingerprintRegistry for integrity verification, runtime detection, and deduplication.
Why it matters
When agents load skills into context, you need to know exactly which skills are present and whether they've been tampered with. Fingerprint gives every skill a unique identity — a content hash that changes when the skill changes — enabling runtime detection, integrity verification, and deduplication across environments.
What it does
- Discovers all SKILL.md files in the target directory
- Computes SHA-256 hashes for frontmatter, content body, and a combined prefix
- Extracts existing watermarks or injects new ones into skill files
- Produces a FingerprintRegistry mapping each skill to its content hashes
- Outputs results in terminal, JSON, or machine-readable formats
Usage
npx skills-check fingerprint [dir] [options]Options
| Flag | Description |
|---|---|
--output <path> | Write fingerprint registry to a file |
--inject-watermarks | Inject watermarks into skill files |
--json | Output results as JSON |
--ci | CI mode with strict exit codes |
--verbose | Show detailed processing information |
--quiet | Suppress non-essential output |
Examples
Fingerprint all skills
npx skills-check fingerprintInject watermarks
npx skills-check fingerprint --inject-watermarksJSON output to file
npx skills-check fingerprint --json --output fingerprints.jsonWhen to use this
- Before deploying skills to verify integrity
- In CI to track skill identity across builds
- For runtime telemetry integration and deduplication
Related commands
CI tip
Generate fingerprints in CI and compare against a known-good registry to detect unauthorized skill modifications. Use --inject-watermarks during build to enable runtime telemetry.