GitHook Litepaper: a decentralized publish-and-earn layer for AI skills.

GitHook is a decentralized marketplace for AI skills. The protocol enables developers to publish AI agent capabilities in a format compatible with the Anthropic Skills standard, and to receive direct compensation from users via wallet-to-wallet $ETHtransfers on Base L2. The protocol is open source under MIT license, requires no platform account or API key for use, and structurally guarantees that 100% of tip value reaches the creator with no protocol fee.

The reference implementation consists of four primary components: (i) an open-source command-line interface, githook, written in TypeScript on the Bun runtime; (ii) a content-addressed skill registry; (iii) a security gateway with automated review and trust scoring; and (iv) an on-chain settlement layer on Base. Premium model access (Claude Opus 4.7) is provided at no cost to users, with infrastructure expenses covered server-side by the protocol treasury.

This document presents the protocol architecture, the economic model, the security model, the architectural guarantees, the current implementation status, known risks, and the strategic outlook.

1.1 The skill economy

In 2025, the SKILL.md format emerged as a working standard for AI agent capabilities. A skill, in this context, is a structured instruction file that augments a language model with domain-specific knowledge, conventions, or executable operations. Skills compose: an agent loading multiple skills inherits the combined capability set.

The economic significance of well-authored skills became measurable. A skill that encodes team conventions, framework expertise, or specialized review logic produces material productivity gains for the user, and aggregate value across all users that install it.

1.2 The absence of a payment layer

Despite the emergent value of skills, no payment infrastructure exists for their creators. Existing distribution platforms fall into four categories, each with structural limitations.

The deeper structural issue: when a user invokes a skill, no on-chain or off-chain link exists between the invocation event and the author identity. Settlement at the protocol layer is therefore impossible under existing infrastructure.

1.3 The opportunity

The primitives required to construct a settlement layer for skills are mature. Base L2 provides sub-cent transaction costs and second-level finality. Ed25519 keypairs provide portable cryptographic identity at zero cost. Sign-In With Ethereum (EIP-4361) enables wallet binding without password infrastructure. Combined, these primitives enable the settlement layer that GitHook implements.

The protocol operates on a single architectural principle:

The implication: a tip is a direct $ETHtransfer from the tipper's wallet to the creator's wallet, with no smart contract intermediary holding funds. The protocol cannot retain a fee because the protocol is not in the transaction path.

The protocol consists of four monetary or content components:

• The CLI (githook), open source under MIT.
• The skill format (SKILL.md), compatible with the Anthropic Skills standard.
• The skill registry, content-addressed and signed.
• The settlement layer, direct $ETH transfers on Base.

The protocol also operates two non-monetary infrastructure functions:

• A security gateway that scores skills at publish time.
• A proxy layer that routes user requests to appropriate models and bills the protocol rather than the user.

3.1 The CLI

githookis a terminal-based AI coding agent supporting macOS and Linux. It is licensed MIT and distributed via the project's public installer. The functional surface includes file editing, code execution, git integration, MCP server support, slash commands, hooks, persistent memory, and plan mode.

All API requests originate from githook and target a single endpoint at api.githook.ai/v1/chat. The proxy server routes each request to the appropriate underlying model based on task classification, with premium reasoning routed to Claude Opus 4.7 and lighter tasks routed to smaller models. Requests are signed end-to-end with the user's Ed25519 private key.

Configuration, conversation history, identity material, hooks, and memory are persisted locally under ~/.githook/. No personally identifying information is retained server-side beyond what is required for signed-request verification and per-wallet rate limiting.

3.2 The skill format

A skill is defined as a markdown file containing a YAML frontmatter manifest and an optional executable code segment. The manifest extends the Anthropic Skills standard with a single additional field: wallet, which specifies the creator's tip destination address.

The complete manifest schema includes: name, title, description, category, tags, version, license, author, wallet, tip_enabled, entrypoint, runtime, permissions, credentials, depends_on, and min_cli_version.

Skills are content-addressed and signed with the author's Ed25519 private key at publish time. The signature is verified by the registry at publish and by the CLI at install.

3.3 The registry

The registry maintains the canonical version history of all published skills. Each version is immutable once accepted. A duplicate-version guard at the publish gate prevents silent overwrites.

The registry exposes two primary interfaces: a CLI surface (githook skills, githook skills install) and a web surface. Skills are surfaced by category, by trust score, and by install count.

3.4 The settlement layer

A tip is initiated by the user with the /tipcommand. The CLI reads the creator's wallet address from the verified manifest, prepares an $ETHtransfer transaction on Base, and submits it to the user's wallet for signature.

Settlement properties:

• Single-block confirmation
• 100% of value transferred to creator address
• No intermediate contract custody
• No batching, escrow, or holding period
• Destination address fixed by signed manifest, not selectable by the protocol

4.1 Tip flow

Tip transactions are wallet-to-wallet $ETH transfers on Base. Creators receive 100% of tipped value. The protocol receives 0%. This property is structural, not policy-based, and is enforced at the transaction level.

4.2 Free tier

The githook CLI is provided to users at no cost, without payment, account creation, or API key procurement. Premium model access (Claude Opus 4.7) is included at no marginal cost to the user. A per-wallet daily quota, indexed to wallet age and reputation, prevents abuse while accommodating standard development workloads.

Infrastructure costs are funded from three sources:

• The protocol treasury, which holds funds from ecosystem partnerships and strategic capital.
• Future on-chain revenue mechanisms layered above the free CLI in post-audit phases.
• Server-side model routing that lowers average per-request cost via task-aware classification.

4.3 Structural separation

Tips and infrastructure funding are kept structurally separate. The free tier is not funded by a skim on tips. This separation preserves the 100% creator guarantee and ensures no implicit fee is applied to creator earnings.

GitHook implements a layered security model addressing two primary threat surfaces: financial risk from tip flows, and execution risk from third-party skill code installed locally.

5.1 Skill moderation

Each skill submission is processed by an automated review gateway prior to acceptance. The gateway evaluates over 30 patterns, including shell command injection, credential exfiltration, anomalous network access, and prompt injection signatures. Submissions are assigned a trust score, which is surfaced to users at install time. Failed submissions are quarantined for human review or revoked at the gate.

Skills accepted into the registry may be retroactively revoked if a vulnerability is later identified. The CLI surfaces revoked installs at next startup.

5.2 Sandbox isolation

Executable skill code is executed within a platform-native sandbox environment: sandbox-exec on macOS and bwrap on Linux. Permissions are explicit and narrow. The schema disallows net:* and env:* access by default. Filesystem access is scoped to declared directories. Enforcement operates at the kernel layer, not the application layer.

5.3 Path and command containment

The CLI implements path-containment and dangerous-command blocklists independent of model output. Path containment prevents writes outside trusted directories. The sensitive-file blocklist covers .env, .git internals, and SSH key locations. The dangerous-command blocklist covers rm -rf /, mkfs, dd, force pushes to protected branches, and DROP TABLE patterns. These blocks operate regardless of trust state for the working directory.

5.4 Identity and request signing

Every skill push is signed with the author's Ed25519 private key. Every API request from the CLI is signed end-to-end. Wallet binding via Sign-In With Ethereum proves wallet ownership without exposing private key material. Identity is portable: the keypair is generated and stored locally and may be transported between installations.

The following properties are not subject to change under any phase, governance decision, or operational discretion. They are enforced architecturally, not by policy.

• 100% creator share on tips. The protocol cannot retain a portion of tipped value because the protocol is not in the transaction path.
• MIT-licensed CLI. The reference implementation is open source. The license cannot be revoked. The runtime cannot be moved behind a closed source repository.
• No platform account requirement. Identity is a locally-generated keypair. No email, password, or third-party authentication provider is required to use the CLI or to publish skills.
• No silent permission expansion. Skill permissions are declared in the manifest and enforced by the sandbox. No convenience override exists to broaden default permissions.
• Free tier provided as published. The free CLI is provided without payment requirement and without a forced upgrade path.

These guarantees are listed not as commitments but as architectural facts. A change to any of them would constitute a fork to a separate protocol.

The protocol roadmap is gated by verifiable milestones rather than by calendar commitments.

Phase	Status	Scope
0	live	Free CLI; signed skill push; security gateway; sandboxed skill install; wallet linking via SIWE; skill browse and install; $ETH tips wallet-to-wallet on Base; admin review queue.
1	in progress	Monthly snapshot worker for contribution-weighted distribution; Disperse-compatible CSV pipeline; TipSplitter contract (17 of 17 Foundry tests passing, deploy pending); Tipped-events indexer (code complete, awaiting contract).
2	next gate	External audit. Two independent professional audit rounds plus a public bug bounty cycle. Mainnet deployment is gated on clean audit reports and at least one completed bounty cycle.
3	post-audit	Mainnet revenue layer. On-chain monthly distribution to creators, node operators, and treasury. Tip flow remains unchanged from Phase 0.
4	post-launch	Node staking with slashing; heartbeat enforcement; on-chain distribution engine.

Throughout all phases, the architectural guarantees in Section 06 remain in force.

The following risks are identified and addressed by protocol design and operational practice.

• Smart contract risk. The Phase 2 contract suite passes 72 internal Foundry tests, including reentrancy guards and split-invariant fuzz testing. Internal testing is necessary but not sufficient. Mainnet deployment is gated on completion of two external audit rounds and at least one bug bounty cycle.
• Sybil and tip-farming risk. Contribution scoring incorporates tip diversity, engagement metrics, and wallet age. No defense in this class is asymptotically bypass-proof. Monthly admin review, minimum tip thresholds, and layered reputation scoring provide additional mitigation. Residual risk is acknowledged.
• Operational key compromise. The Phase 1 manual payout flow depends on a Safe 2-of-3 multisig with hardware wallets. Simultaneous compromise of multiple signers would result in material loss. This risk is structurally closed in the post-audit phase via on-chain payout execution.
• Market cold start. Marketplace volume may be insufficient in the first six months. Mitigation includes featured rotations, seed grants from the treasury, and direct outreach to candidate creators.
• Model provider dependency. Premium model access currently routes to Claude Opus 4.7. The proxy architecture supports multiple providers, with additional models wired for routing. Upstream policy changes from a primary provider may produce degraded service quality until alternatives are re-routed.
• Regulatory risk. Crypto-asset and decentralized protocol regulation continues to develop in major jurisdictions. The protocol maintains a clear architectural separation between (i) the open-source CLI as a software tool, (ii) wallet-to-wallet tipping as a peer-to-peer protocol with no intermediary, and (iii) future on-chain revenue mechanisms as audit-gated, jurisdictionally aware components. Future product surfaces may be restricted in certain jurisdictions.

Within five years, AI skill creation is expected to constitute a measurable asset class with dedicated infrastructure, identifiable creators, and a discrete creator economy. The market participant that captures the largest share of this asset class is positioned to be the one that retains 0% of creator earnings.

The protocol's strategic position rests on the expectation that incumbent platforms will continue to extract a percentage of creator revenue, and that skill creators will progressively migrate to settlement infrastructure that does not.

The protocol does not require this strategic outlook to be correct to deliver value to existing users: the CLI remains free, the codebase remains open source under MIT, and tip flows remain 100% to creators independent of the protocol's market position.