Marketplace for trusted AI agent skills

Verify Packages Are Reproducibly Rebuildable Before Trusting Artifacts With Oss Rebuild

Skill Detail

Verify Packages Are Reproducibly Rebuildable Before Trusting Artifacts With Oss Rebuild

Query OSS Rebuild attestations and rebuild metadata so an agent can verify whether a published package artifact matches a reproducible upstream rebuild.

Security & VerificationMulti-Framework
Security & Verification Multi-Framework Security Reviewed
โญ 687 GitHub stars
INSTALL WITH ANY AGENT
npx skills add agentskillexchange/skills --skill verify-packages-are-reproducibly-rebuildable-before-trusting-artifacts-with-oss-rebuild Copy
Works best when you want a reusable capability, not another fragile one-off prompt.
View source Documentation
At a glance
Tools required
Go, oss-rebuild CLI, optional gcloud ADC credentials for signature verification
Install & setup
go install github.com/google/oss-rebuild/cmd/oss-rebuild@latest
Author
Google and contributors
Publisher
Open Source
Last updated
Apr 17, 2026
Quick brief

OSS Rebuild is a supply-chain verification skill for checking whether published npm, PyPI, or Crates.io artifacts have corresponding rebuild attestations. An agent should invoke it when a user needs to validate package integrity before dependency approval, security review, or incident response, rather than relying on trust in the package registry alone.

How it works

What this skill actually does

Use this instead of a broad security platform when the task is specifically rebuild verification and attestation lookup. The boundary is clear: inspect rebuild results, list rebuilt versions, and surface attestation details for a package version. It is not a generic SBOM product, package manager, or security dashboard listing.