Categories
Category overview
SIGMA certificates are issued for different submission categories. Each category defines what artifacts are reviewed and what the certificate covers. Use this page to choose the right category for your project.
| Category | What SIGMA reviews | Best for |
|---|---|---|
| SKILL | AI skill manifest definition | Describing what a skill does and what it needs |
| SKILL + API | Manifest + live API endpoint verification | Skills that call live web services |
| CODE | Standalone Python or Node.js code | MCP servers, agent tools, CLI utilities |
| CODE + PACKAGES | Code + full dependency supply chain | Any code that imports third-party libraries |
| SKILL + CODE | Manifest + code | Skills with both a definition and an implementation |
| SKILL + CODE + PACKAGES | Manifest + code + supply chain | Full coverage for production AI skills |
| SKILL + API + CODE + PACKAGES | Full-spectrum | Maximum trust signal for any AI tool |
Detail pages: CODE, CODE + PACKAGES. Code review and Package Trust Registry explain how code and dependencies are evaluated.
SKILL
SKILL is for submissions centered on an AI skill manifest (for example SKILL.md): what the skill claims to do, required tools, and declared capabilities. SIGMA reviews the manifest definition and supporting context. The certificate reflects that the manifest and stated boundaries were evaluated by the council process.
SKILL + API
SKILL + API adds live API endpoint verification on top of the manifest. SIGMA reviews both the declared behavior in the manifest and evidence about the real HTTP surface. Choose this when the skill calls external web services and you want the certificate to cover that API relationship.
CODE
The CODE category is for standalone Python or Node.js projects that have no SKILL.md manifest. It is the most direct path to a trust certificate for an MCP server, an agent tool, a CLI utility, or any executable code that an AI agent or developer might invoke.
SIGMA reviews: the static structure of the codebase, all import and dependency declarations, shell execution patterns, environment variable access, network call patterns, filesystem operations, and the runtime behaviour observed during sandboxed execution.
The certificate is tied to the exact Git commit SHA submitted. It does not extend to future versions. Developers who update their code must resubmit to receive a new certificate.
CODE + PACKAGES
The CODE + PACKAGES category extends the standard CODE review to include the full dependency supply chain. Every third-party package declared in the project's dependency manifest is independently fetched from its official registry, its distribution file is integrity-verified, and it is reviewed by a SIGMA council.
Packages that have already been certified in a previous submission are served from the shared Package Trust Registry at no additional cost. Only genuinely new or uncertified packages incur an audit fee. As the registry grows, the cost of certifying a typical project approaches zero for its dependencies.
This is the recommended category for any code submission that imports external libraries.
SKILL + CODE
The SKILL + CODE category is for projects where both a SKILL.md manifest and implementation code live in the same repository. SIGMA reviews both independently and cross-references them: does the code do what the manifest declares? Does the code make network calls or claim capabilities that are not declared in the manifest? Discrepancies become findings in the council verdict.
SKILL + API + CODE + PACKAGES
The full-spectrum category provides the most comprehensive trust signal SIGMA can issue. It covers the manifest definition, the live API surface, the executable code, and the complete dependency supply chain. The resulting certificate demonstrates that SIGMA has reviewed every dimension of what an AI skill does and what it runs.