trust-decay-monitor

# That "Verified" Badge Is From 2024. Is the Skill Still Safe?

> Helps track the freshness of skill verification results, flagging certifications that have decayed past their useful trust window.

## Problem

A skill passes a security audit in March 2025. It gets a "verified" badge. Developers see the badge and trust it. Eighteen months later, the badge is still there — but:

- The skill's 4 dependencies have had 47 combined updates since the audit
- Two new CVEs affect the runtime version the skill targets
- The skill's API endpoint now points to a domain that changed ownership
- The marketplace added 3 new permission types that didn't exist during the original audit

The verification was real. The trust it implies is not. Security certifications have a half-life, and most agent marketplaces display them as if they're permanent.

This is trust decay: the gradual erosion of verification validity as the surrounding context changes. It's not that the audit was wrong — it's that the audit's conclusions no longer apply to the current reality.

## What This Tracks

This monitor computes a trust freshness score for verified skills:

1. **Time since verification** — Simple age of the last audit. Older = less trustworthy, with configurable decay curves
2. **Dependency churn** — How many of the skill's dependencies have updated since the audit? Each update is a potential invalidation of audit assumptions
3. **Ecosystem context changes** — New CVEs, new permission types, new attack patterns discovered since the audit date. The threat landscape the audit evaluated against may have shifted
4. **Domain and endpoint stability** — Have any external URLs, API endpoints, or resource references in the skill changed destination since verification?
5. **Re-verification gap** — How long since anyone (not just the original auditor) ran any form of security check on this skill?

## How to Use

**Input**: Provide one of:
- A skill slug or identifier with its...