Every registry rates skills. Most use star ratings or download counts. We use a 100-point trust score with five independently audited dimensions, aligned to the NIST AI Risk Management Framework and mappable to W3C Verifiable Credential schemas. This post explains why that distinction matters, and how the methodology works.
Why "Star Ratings" Don't Work for Agent Infrastructure
Star ratings answer: did a human like this?
What an autonomous agent needs to know is different:
- Is this skill reliably available when my pipeline runs at 3am?
- Is the endpoint actually the publisher's infrastructure, or a proxied redirect to an unaudited third party?
- Has anyone tried to inject malicious payloads into the response?
- Does this skill have a verifiable track record, or was it published last week with fake metrics?
A five-star rating answers none of these questions. A 100-point trust score with an A/B/C/D tier system can answer all of them — if the methodology is sound.
The Five Dimensions of BluePages Trust Scoring
Our trust score is computed across five independently weighted dimensions. Each dimension has a maximum contribution to the total score, and each is computed from verifiable signals rather than subjective ratings.
1. Uptime (25 points)
What it measures: Reliability of the skill endpoint over a rolling 30-day window.
How it's computed: PingChain probes each registered endpoint on a 5-minute interval from three geographic vantage points (US-East, EU-West, AP-Southeast). Uptime is the percentage of successful probes over the 30-day window, weighted toward recency (last 7 days count 2x).
Score mapping:
- 99.9%+ uptime → 25 points
- 99.0–99.9% → 20 points
- 95.0–99.0% → 15 points
- 90.0–95.0% → 8 points
- Below 90% → 0 points
NIST AI RMF alignment: Maps to GOVERN 1.2 (risk tolerance) and MANAGE 2.2 (incident response capability). A skill with persistent downtime is a pipeline risk that operators must account for in their own risk posture.
2. Latency (20 points)
What it measures: Response time consistency under normal load.
How it's computed: p50/p95/p99 latency tracked from PingChain probes. Score weights the p95 latency most heavily — a skill that's fast on average but spikes unpredictably is worse than one with consistent moderate latency. Normalized against the category median (a real-time finance skill is held to a stricter latency standard than a batch document processor).
Score mapping:
- p95 < 200ms → 20 points
- p95 200–500ms → 16 points
- p95 500ms–1s → 10 points
- p95 1–3s → 5 points
- p95 > 3s → 0 points
NIST AI RMF alignment: Maps to MANAGE 1.3 (performance monitoring). High p95 latency creates tail-risk in chained pipelines — the slowest skill sets the floor for the entire composition.
3. Security (25 points)
What it measures: Disclosure, audit status, and active security posture.
How it's computed: Security score is a composite of four signals:
- Security disclosure on file (+8): Publisher has submitted a security contact, responsible disclosure policy, and data handling summary.
- Red team audit passed (+10): BluePages has run a red team evaluation (or the publisher has submitted a verifiable third-party audit report). Red team tests include prompt injection, payload tampering, and SSRF probing.
- Canary test pass rate (+5): Skills pass 30% hidden canary tests (synthetic payloads that should return deterministic responses). Canary tests run weekly; publishers don't know the test cases.
- No active risk flags (+2): No unresolved RiskFlag records from the BluePages trust team or community reporters.
NIST AI RMF alignment: Maps to MAP 1.1 (risk identification), MEASURE 2.5 (adversarial testing), and MANAGE 3.1 (risk treatment). Security disclosure is a proxy for operational maturity; red team results are empirical evidence of robustness.
4. Provenance (15 points)
What it measures: Verifiability of the publisher identity and skill lineage.
How it's computed: Provenance score rewards cryptographic verification of publisher claims:
- Wallet-verified publisher (+5): Publisher connected a wallet and signed a listing claim. We record the signing address and verify it hasn't been compromised (no flagged addresses).
- Domain verification (+5): Publisher domain (
dns-txtchallenge) confirms they control the endpoint host. Prevents impersonation of established brands. - AgentFacts signed claim (+3): Publisher has submitted a signed AgentFact claim (W3C VC format) with endpoint, schema, and pricing attestation. The claim is signed with their DID private key.
- No wallet address reuse (+2): The publisher wallet hasn't been used by more than one publisher identity (reuse is a signal of compromised key hygiene).
NIST AI RMF alignment: Maps to GOVERN 4.1 (accountability) and MAP 5.1 (supply chain risk). In agent pipelines, provenance failures cascade — a spoofed publisher identity can redirect payment or exfiltrate inputs.
5. Community (15 points)
What it measures: Social proof from verified users.
How it's computed: Community score requires verified usage signals — not anonymous ratings:
- Invocation-backed reviews (+8 max): Only reviewers who have submitted a valid payment proof for at least one invocation can leave a review. Review scores are weighted by recency (last 30 days 2x) and reviewer wallet age (older wallets weighted slightly higher as a Sybil defense).
- Total verified invocations (+5 max, logarithmic):
floor(log10(totalCalls) * 2). A skill with 10 calls scores 2; 100 calls scores 4; 10,000 calls scores 8; capped at 5. - No abuse reports (+2): No sustained abuse reports that have been escalated to the trust team.
NIST AI RMF alignment: Maps to MEASURE 4.1 (stakeholder feedback) and GOVERN 5.2 (accountability mechanisms). Community signals are the most gameable dimension, which is why we require payment proof for reviews and cap the invocation bonus logarithmically.
Trust Tiers
| Tier | Score Range | Meaning |
|---|---|---|
| A | 80–100 | Production-grade. Suitable for automated pipelines without human oversight. |
| B | 60–79 | Good. Suitable for production with monitoring. One or two dimensions need improvement. |
| C | 40–59 | Fair. Suitable for development and staging. Not recommended for unattended production use. |
| D | 0–39 | Low confidence. Use only for experimentation. |
Skills below 40 are not removed from the registry — publishers have the right to list — but they are deprioritized in search results and receive a visible "Low Trust" badge on their detail page.
W3C Verifiable Credential Mapping
BluePages trust scores are designed to be expressible as W3C Verifiable Credentials. This enables a critical future capability: agent pipelines can receive a signed trust score VC as part of skill discovery, verify it locally against the BluePages DID, and make routing decisions without calling the trust API on every invocation.
The draft VC schema (targeting the W3C VC Data Model 2.0 spec):
{
"@context": ["https://www.w3.org/ns/credentials/v2"],
"type": ["VerifiableCredential", "SkillTrustAttestation"],
"issuer": "did:web:bluepages.xyz",
"validFrom": "2026-05-04T00:00:00Z",
"validUntil": "2026-05-11T00:00:00Z",
"credentialSubject": {
"id": "did:web:finops.run#stablecoin-yield-router",
"skill": "stablecoin-yield-router",
"trustScore": 84,
"trustTier": "A",
"dimensions": {
"uptime": 23,
"latency": 18,
"security": 22,
"provenance": 13,
"community": 8
},
"computedAt": "2026-05-04T00:00:00Z"
}
}
The VC is signed with the BluePages Ed25519 issuer key (published at /.well-known/did.json). Agents can verify the signature locally using standard W3C VC verification libraries without any runtime network call to BluePages.
This architecture matters because it enables offline trust verification — a key capability for agent pipelines operating in constrained network environments or that need to minimize latency on trust checks.
The SecureAuth Challenge
On April 29, SecureAuth launched the Agent Trust Registry — a competing trust system targeting the same enterprise market. Their approach uses a different model: curator-assigned trust labels (think App Store human review) rather than computed scores.
We think the curator model has two structural weaknesses:
- Scale: Curator review doesn't scale to a registry with 75+ skills growing weekly. Human review creates a bottleneck that slows the ecosystem.
- Transparency: Trust labels without published methodology are not auditable. Enterprises adopting agent infrastructure need to justify their trust posture to their own security teams.
Our computed, published, NIST-aligned methodology is an auditable artifact. Every score is reproducible from first principles, and every dimension maps to a published framework that enterprise security teams already understand.
What We're Publishing
Starting today, we're publishing:
- This document — the full methodology behind the 5-dimension trust score
- NIST AI RMF alignment table — mapping BluePages trust dimensions to NIST AI RMF functions and categories
- W3C VC schema — the draft credential schema for machine-readable trust attestations
- Red team test categories — the categories of adversarial tests (not specific cases, which would enable gaming)
These are available at /security and through the AgentFacts v2 endpoint at /.well-known/agent.json.
The Security Layer That Completes the Picture
Publishing methodology closes one gap. ChainGuard.ai, our newest publisher, closes another: skills that enforce security at the agent pipeline layer. Their three skills — Agent Permission Auditor, Wallet Drain Detector, and Prompt Injection Firewall — are exactly the runtime security layer that a mature agent deployment needs alongside registry-level trust scores.
Trust scores tell you what the skill was. Runtime security skills protect you from what the inputs and environment might do.
The two layers together — registry trust + runtime enforcement — are how production agent pipelines stay safe as they scale.
Trust scores are updated every 24 hours for all active listings. Newly published skills start with a provisional score based on publisher provenance; the uptime and latency dimensions populate after 7 days of liveness probing.