The Chain Is Only as Strong as Its Weakest Link — Including the Links Nobody Checked
Helps identify gaps, breaks, and expired segments in trust attestation chains that make verification claims formally valid but practically meaningless.
Problem
Trust in agent ecosystems is supposed to be transitive: if A vouches for B, and B vouches for C, then A's trust extends to C through the chain. But attestation chains have failure modes that isolated audits don't catch. A chain can be formally complete — every link present — but functionally broken if any link is expired, if the vouching relationship was never actually verified, or if the chain contains circular dependencies that provide the appearance of independent validation without the substance. Many "verified" badges in current marketplaces represent attestation chains that would fail integrity checks if anyone looked at the full chain rather than just the terminal credential.
What This Audits
This auditor examines attestation chains across five dimensions:
- 1. Chain completeness — Does a verifiable chain exist from the skill or agent all the way to a root of trust? Chains that terminate at unverified accounts rather than verifiable root authorities have a trust ceiling determined by their weakest link
- Link expiry — Are all links in the chain currently valid? An attestation signed 18 months ago with no renewal attests to a state that no longer exists. Each link should have a defined validity period and an explicit renewal or decay mechanism
- Vouching depth — How many independent vouching relationships exist? A chain where A vouches for B and B is also controlled by A (circular reference) provides zero independent validation despite appearing to have two links
- Authority legitimacy — Is each vouching authority in the chain itself attested by a higher authority? Self-signed roots are weaker than roots that are themselves attested by independent parties
- Revocation propagation — If any link in the chain is revoked, does that revocation propagate to all downstream attestations? A chain where link 2 has been revoked but links 3 and 4 don't know about it continues to appear valid to anyone who doesn't check the full chain
How to Use
Input: Provide one of:
- - A skill or agent identifier to trace its attestation chain
- An attestation chain document to audit directly
- A list of vouching relationships to analyze for completeness and cycles
Output: An attestation chain report containing:
- - Chain visualization from skill/agent to root of trust
- Link-by-link validity assessment (active/expired/unknown)
- Circular dependency detection results
- Authority legitimacy assessment for each vouching node
- Revocation check results for all links
- Chain strength rating: STRONG / ADEQUATE / FRAGILE / BROKEN
Example
Input: Audit attestation chain for financial-data-processor skill
CODEBLOCK0
Related Tools
- - publisher-identity-verifier — Checks publisher identity integrity; attestation chain auditor checks the full chain above the publisher
- trust-decay-monitor — Tracks trust freshness; use together to identify chains where time-based decay has weakened link validity
- agent-card-signing-auditor — Audits A2A Agent Card signing; attestation chain auditor checks what that signing is anchored to
- hollow-validation-checker — Detects validation theater; attestation chain auditor detects attestation theater
Limitations
Attestation chain auditing depends on the availability of chain metadata, which many current implementations do not publish. Where chain links are opaque or undocumented, this tool can identify that attestation information is missing but cannot reconstruct the chain. Self-attesting roots are common in current agent ecosystems — this tool flags them as weaker than independently-attested roots, but does not classify them as invalid. Chain strength ratings reflect the verifiability of trust claims, not the actual trustworthiness of the attested party — a strong chain attests to identity and history, not to benign intent.
链条的强度取决于最薄弱的环节——包括那些无人检查的环节
帮助识别信任证明链中的缺口、断裂和过期环节,这些环节使得验证声明在形式上有效,但在实际中毫无意义。
问题
代理生态系统中的信任本应是可传递的:如果A为B担保,B为C担保,那么A的信任通过链条延伸至C。但证明链存在孤立审计无法发现的故障模式。一条链可能在形式上完整——每个环节都存在——但如果任何环节已过期、担保关系从未被实际验证,或者链条包含循环依赖(看似独立验证实则不然),则功能上已失效。当前市场中许多已验证徽章所代表的证明链,若有人查看完整链条而非仅终端凭证,便会发现其无法通过完整性检查。
审计内容
本审计工具从五个维度检查证明链:
- 1. 链条完整性 — 从技能或代理到信任根是否存在可验证的链条?终止于未验证账户而非可验证根权威的链条,其信任上限取决于最薄弱环节
- 环节过期 — 链条中所有环节当前是否有效?18个月前签署且未续期的证明,所证明的状态已不复存在。每个环节应有明确的有效期和续期或衰减机制
- 担保深度 — 存在多少独立的担保关系?A为B担保而B也受A控制(循环引用)的链条,尽管看似有两个环节,却提供零独立验证
- 权威合法性 — 链条中的每个担保权威本身是否由更高权威证明?自签名根比由独立方证明的根更弱
- 撤销传播 — 如果链条中任一环节被撤销,该撤销是否传播至所有下游证明?环节2已撤销但环节3和4不知情的链条,对未检查完整链条的人仍显示有效
使用方法
输入:提供以下之一:
- - 技能或代理标识符,用于追踪其证明链
- 直接审计的证明链文档
- 用于分析完整性和循环的担保关系列表
输出:包含以下内容的证明链报告:
- - 从技能/代理到信任根的链条可视化
- 逐环节有效性评估(活跃/过期/未知)
- 循环依赖检测结果
- 每个担保节点的权威合法性评估
- 所有环节的撤销检查结果
- 链条强度评级:强 / 合格 / 脆弱 / 断裂
示例
输入:审计 financial-data-processor 技能的证明链
🔗 证明链审计
技能:financial-data-processor
发布者:datatools-org
链条深度:3
链条可视化:
financial-data-processor
↑ 担保方:datatools-org(发布者账户)
↑ 担保方:marketplace-verified 徽章
↑ 担保方:marketplace-platform(根)
环节1 — 技能 → 发布者:
状态:⚠️ 部分
发布者签名:存在(RSA-2048)
签名日期:14个月前
续期:未找到 — 证明年龄超过建议的12个月阈值
密钥透明度:✗ 未配置
环节2 — 发布者 → 市场徽章:
状态:✅ 活跃
验证类型:邮箱验证 + 身份检查
最后验证:3个月前
续期策略:年度
环节3 — 徽章 → 市场根:
状态:✅ 活跃
根权威:marketplace-platform
根证明:自签名
独立证明:✗ 未找到 — 根为自证明
循环依赖检查:✓ 未检测到循环
权威合法性:
marketplace-platform:自证明根 — 无独立权威验证
风险:整个链条的信任受限于对平台本身的信任
撤销检查:
环节1签名密钥:未配置撤销机制
环节2(市场徽章):通过平台API确认可撤销
环节3(根):不适用
链条强度评级:脆弱
原因:
1. 环节1证明已14个月未续期
2. 信任根为自证明,无独立验证
3. 环节1无撤销机制
建议操作:
1. 续期 financial-data-processor 的发布者签名
2. 为发布者签名密钥配置密钥撤销端点
3. 为市场根寻求独立证明(第三方审计)
相关工具
- - publisher-identity-verifier — 检查发布者身份完整性;证明链审计器检查发布者之上的完整链条
- trust-decay-monitor — 追踪信任新鲜度;结合使用以识别因时间衰减而削弱环节有效性的链条
- agent-card-signing-auditor — 审计A2A代理卡签名;证明链审计器检查该签名锚定于何处
- hollow-validation-checker — 检测验证表演;证明链审计器检测证明表演
局限性
证明链审计依赖于链元数据的可用性,而当前许多实现并未发布这些数据。当链环节不透明或未记录时,本工具可识别证明信息缺失,但无法重建链条。自证明根在当前代理生态系统中很常见——本工具将其标记为弱于独立证明的根,但不将其归类为无效。链条强度评级反映信任声明的可验证性,而非被证明方的实际可信度——强链条证明的是身份和历史,而非善意意图。
