Use this as a read-only evidence review workflow; ordinary intake should not require running submitted projects., The install command fetches a pinned SLSA source archive for reference, not an executable package., Provenance evidence improves confidence but does not replace human source review, category-fit review, or maintainer judgment., Treat missing, stale, unverifiable, or mismatched provenance as a risk signal and request clearer evidence before accepting strong trust claims.
Privacy notes
Work from public source URLs, release metadata, package metadata, and maintainer-approved context., Keep public notes focused on source URLs, revisions, digests, and high-level risk summaries; omit operational details that do not need to be public.
Current risk score 16/100. Use staged verification before broader rollout.
Risk 16
Pre-adoption checks
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Done
Confirm metadata review state
Listing has review metadata.
Done
Verify install payload
Install/config payload exists and can be inspected.
Done
Security checks
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Done
Review privacy notesRequired
Privacy notes are present.
Done
Verify package integrity metadata
No package verification/checksum metadata.
Pending
Rollout
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Pending
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Pending
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Pending
Evidence readiness
Evidence readiness matrix · balanced
Required evidence gates are covered (5/6 signals complete).
Risk 15
Source provenance
Present
Source repository/provenance is listed.
Required in this preset
Metadata review
Present
Review metadata is present.
Required in this preset
Safety notes
Present
Safety notes are present.
Required in this preset
Privacy notes
Present
Privacy notes are present.
Optional in this preset
Package integrity
Missing
Package integrity metadata is missing.
Optional in this preset
Install payload
Present
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
Decision timeline · balanced
5/6 steps complete with no blocking gaps for this preset.
Risk 14
triage
Confirm source provenanceRequired
Source/provenance metadata is available.
Done
triage
Check metadata review statusRequired
Review metadata is available.
Done
verify
Review safety notesRequired
Safety notes are available.
Done
verify
Review privacy notes
Privacy notes are available.
Done
verify
Validate package integrity metadata
Package integrity metadata is missing.
Pending
rollout
Verify install payload and commandsRequired
Install payload is available.
Done
No required blockers for this timeline preset.
Prerequisite readiness
Prerequisite readiness
5 prerequisites to line up before setup. Includes a review or approval gate.
0/5 ready
Review & approval1General4
Safety & privacy surface
Safety & privacy surface
4 safety and 2 privacy notes across 3 risk areas. Review closely: network access.
3 areas
SafetyExecution & processesUse this as a read-only evidence review workflow; ordinary intake should not require running submitted projects.
SafetyExecution & processesThe install command fetches a pinned SLSA source archive for reference, not an executable package.
SafetyGeneralProvenance evidence improves confidence but does not replace human source review, category-fit review, or maintainer judgment.
SafetyNetwork accessTreat missing, stale, unverifiable, or mismatched provenance as a risk signal and request clearer evidence before accepting strong trust claims.
PrivacyGeneralWork from public source URLs, release metadata, package metadata, and maintainer-approved context.
PrivacyGeneralKeep public notes focused on source URLs, revisions, digests, and high-level risk summaries; omit operational details that do not need to be public.
Safety notes
Use this as a read-only evidence review workflow; ordinary intake should not require running submitted projects.
The install command fetches a pinned SLSA source archive for reference, not an executable package.
Provenance evidence improves confidence but does not replace human source review, category-fit review, or maintainer judgment.
Treat missing, stale, unverifiable, or mismatched provenance as a risk signal and request clearer evidence before accepting strong trust claims.
Privacy notes
Work from public source URLs, release metadata, package metadata, and maintainer-approved context.
Keep public notes focused on source URLs, revisions, digests, and high-level risk summaries; omit operational details that do not need to be public.
Prerequisites
Submission target such as a registry entry, package listing, source-backed content item, or release artifact
.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursor
Adapter
.cursor/rules/<skill-name>.mdc
cli
Manual
AGENTS.md or tool-specific context file
Full copyable content
# Trigger
"Apply the SLSA provenance review capability pack to this submission."
# Required output
1) Source, package, artifact, and provenance evidence inventory
2) Expected producer, repository, revision, builder, and policy
3) SLSA source/build provenance review result
4) Acceptance, rejection, or manual-review decision with evidence
About this resource
Knowledge Freshness
This capability pack is pinned to SLSA v1.2 documentation and source files verified on 2026-06-03. Refresh the SLSA spec, provenance format, and package ecosystem behavior before using it for production policy decisions.
Prefer current SLSA specification pages and pinned source files over model memory for predicate details, verification expectations, and level-specific requirements.
Scope Note
This is not a HeyClaude submission-field factory. Use it for source and provenance review when a content, package, or registry intake needs evidence about where a submission came from, how an artifact was produced, and whether trust claims match the expected source.
Core Workflow
Classify the submission as source-only content, package metadata, generated output, or a release artifact.
Establish expectations from policy: trusted producer, repository, source revision, branch or tag, artifact name, digest algorithm, builder ID, build type, external parameters, and required SLSA level.
Review artifact provenance when an artifact is present: subject digest, provenance signature status, trusted builder ID, expected build type, expected source repository, expected source revision, and allowed external parameters.
Review source provenance when the claim is about a repository revision: source control system, revision immutability, change history continuity, technical controls, code review claims, and verification summaries if available.
Compare trust claims to evidence. Separate confirmed facts, unsupported claims, stale evidence, unverifiable links, and policy gaps.
Decide the intake path: accept, accept with caveats, request more evidence, route to manual review, or reject as unverifiable or mismatched.
Produce a compact provenance report with source URLs, checked identifiers, failed expectations, residual risks, and the final recommendation.
Capability Scope
Source repository and revision provenance review
Build provenance and artifact evidence checks
Package or generated-output source review
SLSA expectation mapping for intake policy
Digest, builder, predicate, and source-URI comparison
Evidence classification for maintainer review
Unverifiable, stale, or overclaimed trust-signal detection
Public-safe verification notes for PRs, registry entries, and package listings
Compatibility
Native
Claude Code / Claude: use as a reusable Agent Skill for provenance-heavy submission review.
Codex/OpenAI workflows: use as SKILL.md-style instructions for registry, package, or artifact intake.
Manual Adaptation
Windsurf and Gemini: adapt the workflow and output contract into their skill formats.
Cursor and Generic AGENTS files: convert the production rules and validation checklist into repository-level intake rules.
Published provenance, verification summary, or package ecosystem trust metadata when available
Expected producer and builder IDs
Decision threshold for missing or partial provenance
Production Rules
Do not treat provenance as a replacement for source review, license review, or category-fit review.
Do not accept a package-trust claim when the artifact digest does not match the provenance subject.
Do not accept a source-trust claim when the source repository, source revision, or producer is ambiguous.
Do not infer SLSA level from marketing copy. Require published evidence or mark the claim unsupported.
Prefer immutable identifiers such as commit SHAs, release tags with tag object evidence, artifact digests, and package integrity metadata.
Treat branch names, moving tags, latest URLs, and generated archive links as weaker evidence unless backed by stronger provenance.
Keep public notes focused on non-sensitive identifiers and high-level risk. Avoid publishing raw logs or operational context that is not needed for review.
Decision Rubric
Accept
Canonical source and artifact identifiers are clear.
Digest, repository, revision, builder, and predicate expectations match.
Published provenance or source verification evidence is reachable and current.
Safety, privacy, and trust notes reflect the verified evidence.
Request More Evidence
The source is real but the artifact digest, builder ID, release tag, or verification summary is missing.
Provenance exists but cannot be linked to the submitted artifact or source revision.
The submission makes trust claims that require maintainer confirmation.
Reject Or Route Away
The source URL is unverifiable, redirects to unrelated content, or conflicts with package metadata.
The provenance subject does not match the artifact under review.
The builder, source repository, or revision does not match the expected producer.
The submission asks maintainers to validate a generated artifact without source-backed trust evidence.
Review result: matched evidence, failed checks, missing data, stale links, and unsupported claims.
Safety and privacy notes: runtime risk, package or generated-output risk, public-note redactions, and residual uncertainty.
Intake decision: accept, accept with caveats, request evidence, manual review, or reject.
Follow-up: exact evidence needed from the submitter or maintainer before the decision can change.
Workflow Notes
Keep automated provenance checks read-only in public PR workflows.
Use maintainer-controlled workflows for any privileged package, generated output, or provenance review.
Store review results as summaries, not raw operational logs.
Re-run review when the artifact, release tag, package version, builder, or source revision changes.
Troubleshooting
Issue: The artifact has no provenance
Fix: Record the missing evidence and fall back to source, package, release, and maintainer judgment. Missing provenance may be acceptable for low-risk content but should block strong verification claims.
Issue: The provenance exists but the digest does not match
Fix: Treat the artifact as unverified. Ask for the exact artifact referenced by the provenance record or a new provenance record for the submitted artifact.
Issue: The source revision is a branch name
Fix: Resolve the branch to an immutable commit SHA, record when it was checked, and prefer a tag or release object when reviewing a published package.
Issue: The submitter claims SLSA compliance without evidence
Fix: Mark the claim unsupported. Require reachable source, builder, predicate, and verification evidence before using the claim in public metadata.
Issue: The evidence includes details that do not need to be public
Fix: Summarize only the identifiers needed for review and keep unnecessary operational details out of public issues or PRs.
Validation Checklist
Source, repo, package, release, and artifact URLs are reachable.
Artifact digest and provenance subject match when an artifact is reviewed.
Builder ID is one of the trusted builders for the expected policy.
Build type and external parameters match expected values.
Source repository and source revision match the submitted package or artifact.
Source provenance or verification summary evidence is recorded when source-level claims are made.
Missing or partial provenance is called out as a caveat, not hidden.
Public notes do not expose operational details that are unnecessary for review.
Show that SLSA Provenance Review Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/slsa-provenance-review-capability-pack)
How it compares
SLSA Provenance Review Capability Pack Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
2 trust signals differ across this comparison (Source provenance, Submitter).
Expert skill for reviewing GitHub Artifact Attestations, release artifact digests, workflow provenance, OIDC boundaries, and public release evidence before an AI agent recommends or publishes build outputs.
✓Use this as a read-only evidence review workflow; ordinary intake should not require running submitted projects.
The install command fetches a pinned SLSA source archive for reference, not an executable package.
Provenance evidence improves confidence but does not replace human source review, category-fit review, or maintainer judgment.
Treat missing, stale, unverifiable, or mismatched provenance as a risk signal and request clearer evidence before accepting strong trust claims.
✓Installing `llms-txt` adds Python dependencies in the selected environment; pin the reviewed version and prefer project-scoped tooling.
The `llms_txt2ctx` helper can retrieve linked HTTPS resources while expanding context; review target URLs before running it against private staging content.
Search artifacts influence crawler and model-facing discovery signals; treat canonical, robots, sitemap, and structured data changes as publish-impacting.
The source archive is external and version-pinned for reference; package trust should remain a maintainer decision.
✓Installing FastMCP adds Python packages to the selected environment; use an isolated project environment and pin the reviewed version.
Reviewing a server can exercise tool, resource, and prompt paths; use controlled fixtures and avoid live side effects unless the release plan explicitly permits them.
The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
Treat destructive tools, write-capable resources, network calls, and long-running jobs as release-blocking until their behavior is documented and tested.
✓Artifact attestation verification confirms provenance for a digest, not malware safety, runtime behavior, dependency health, or install trust.
Do not approve a release when the verified repository, workflow, ref, subject digest, or commit does not match the artifact being distributed.
Keep OIDC and workflow-permission review separate from ordinary release-note editing.
Privacy notes
✓Work from public source URLs, release metadata, package metadata, and maintainer-approved context.
Keep public notes focused on source URLs, revisions, digests, and high-level risk summaries; omit operational details that do not need to be public.
✓`/llms.txt`, expanded context, sitemap, and structured data artifacts can expose URL paths, page titles, product terms, doc structure, and internal naming.
Context expansion can collect linked markdown content into a single artifact, which may reveal more detail than the compact index.
Keep public review notes focused on artifact shape, URL classes, stale links, and source evidence; avoid exposing private staging paths or unreleased content.
✓FastMCP tools and resources can expose files, API responses, database records, prompts, and application state.
Keep review notes focused on public source links, object names, version data, and summarized findings; omit operational details that do not need to be public.
✓Verification evidence can expose repository names, workflow names, internal release timing, commit SHAs, artifact names, and runner metadata.
Public comments should summarize verification without pasting private URLs, unpublished release notes, or internal environment details.
Prerequisites
Submission target such as a registry entry, package listing, source-backed content item, or release artifact