Download — Sigil Trust

Quick Install

curl -fsSL https://sigil-trust.dev/install.sh | sh

Detects your OS and architecture, installs to ~/.sigil/bin/, and configures your PATH.

Install with Go

go install github.com/fwilkerson/sigil-cli@latest

Requires Go 1.26+. Installs to your $GOBIN or $GOPATH/bin.

GitHub Releases

Each release includes pre-built binaries for macOS and Linux (both amd64 and arm64) with SHA-256 checksums. Browse releases on GitHub.

Binary Downloads

These are the latest binaries from sigil-trust.dev. For versioned downloads, see GitHub Releases.

Platform	Architecture	Binary	SHA256
macOS	ARM64 (Apple Silicon)	sigil-darwin-arm64	ef0a967db05fd9e46018adfb2c286d726a048099432c44db870ee7bed0410313
macOS	x86_64 (Intel)	sigil-darwin-amd64	10e963de6e132ef5b5eb7713dfa5d82e3d7f05c75f68df3a8aed1296ada8e332
Linux	x86_64	sigil-linux-amd64	1a2a91c06a872bde09d7188393e5988ef778567d6ad805a24842593c10b60743
Linux	ARM64	sigil-linux-arm64	8549996eb9eda657b92e83e8fa5a84bf33945e0894acf273f62535e1ea71bf63

Get Started

1. Check a tool's trust score

Look up any tool before you or your agent uses it:

sigil trust check https://npmjs.com/@upstash/context7-mcp

2. Use tools with your agent

As you and your agent use tools, Sigil can automatically record trust signals — positive when things work, negative when they don't. Each signal is signed by your local identity and contributes to the tool's trust score.

sigil trust attest <tool-uri> --outcome success --version <ver>

3. Add to your project (optional)

Once you're comfortable, you can add Sigil to your project so your AI agent checks trust scores automatically. Add this minimal snippet to your project's CLAUDE.md or AGENTS.md:

Before using any MCP server or CLI tool, check its trust score:
  sigil trust check <tool-uri>

Full agent integration (advanced)

The full integration lets your agent both check and contribute trust signals automatically. Here's what it does and when:

Before tool use — check trust

sigil trust check <tool-uri> --json

After successful tool use — record positive signal

sigil trust attest <tool-uri> --outcome success --version <ver> --non-interactive

After a bad experience — record negative signal

sigil trust attest <tool-uri> --outcome negative --intent "..." --result "..." --yes --non-interactive

What leaves your machine

Tool URI, outcome, and optional version/function name
Your did:key signature (a cryptographic identifier, not personal information)
Nothing else — your key pair and config stay local

Safety guardrails

Public tools only — never signal on internal tools or private domains (URIs could reveal org structure)
No raw values — failure descriptions should use type shapes (expected list, got 401) not raw error messages that might contain secrets or PII
Rate limiting — at most one signal per tool per session

Or generate the full instructions locally: sigil trust skill · download skill.md

Privacy

Your identity is a cryptographic key pair — not linked to your name, email, or any account
The CLI contacts sigil-trust.dev to check scores and submit signals — no other network calls
You can retract any signal you've submitted at any time using sigil trust retract
All signals are signed with your key and can be independently verified

See the full privacy model for details on what's visible, what's redacted, and how data retention works.

Download Sigil CLI