AnonSkill

Verify your GitHub skills with AI — without exposing a single line of code

Comment

AnonSkill — Zero-Knowledge GitHub Skill Verification

What it does

AnonSkill lets developers prove their technical skills to employers without ever exposing source code. Connect your GitHub account, and an AI agent analyzes your repository metadata — commit frequency, language distribution, activity signals — and generates a verified skill report. No source code is read. No commit messages. No PII.

Inspiration

Developers often face a frustrating paradox: to get a job, you need to prove your skills, but proving your skills means sharing private code you can't share. We wanted to build a system where an AI agent could act on your behalf — accessing your private GitHub repositories securely — without you ever handing over your credentials or your code.

Auth0 Token Vault made this possible.

How we built it

The core pattern: AI Agent + Token Vault

The key insight is that Auth0 Token Vault acts as a secure credential broker between the user and the AI agent. The agent never holds credentials directly — it requests them through Auth0 at the moment they're needed, uses them for a single request, and they're gone.

Tech stack:

  • Frontend: Next.js 14 (App Router)
  • Backend: Python 3.13 + FastAPI
  • Identity: Auth0 for AI Agents — Token Vault + Connected Accounts
  • AI: Google Gemini Flash LTS
  • GitHub API: PyGithub

The Token Vault flow

Token Vault storage does NOT happen automatically during login. We implemented the full Connected Accounts flow via Auth0's My Account API:

  1. POST /me/v1/connected-accounts/connect with PKCE → get connect_uri
  2. Browser redirects to GitHub for authorization
  3. POST /me/v1/connected-accounts/complete → Auth0 stores the GitHub token in Token Vault
  4. Token Exchange grant retrieves the GitHub token server-side when the agent needs it

This required configuring Multi-Resource Refresh Tokens (MRRT), enabling the My Account API, and using a GitHub App (not OAuth App) — since only GitHub Apps issue refresh tokens.

The AI pipeline

Once the GitHub token is retrieved from Token Vault, the agent:

  1. Fetches all accessible repositories (personal + org)
  2. Collects quantitative metrics only: language byte counts, weekly commit frequency, repo size, CI signals
  3. Sends metrics to Gemini — no source code, no commit messages
  4. Returns a structured VerificationReport with skill level, security score, languages detected, and AI reasoning

User control

Users configure what gets analyzed before running:

  • Step 1: Exclude languages (e.g. HTML, CSS) that don't reflect engineering depth
  • Step 2: Choose which repositories to include
  • The agent analyzes the top 3 most active repos from the selection

Challenges

Token Vault doesn't populate automatically. The biggest surprise was discovering that logging in via GitHub social connection does not store the token in Token Vault — it requires a separate Connected Accounts flow. Figuring out the MRRT + My Account API + PKCE combination took significant debugging.

GitHub App vs OAuth App. Token Vault requires refresh tokens, and only GitHub Apps issue them. Switching from OAuth App to GitHub App mid-build required reconfiguring Auth0's GitHub connection and updating the entire auth flow.

Org repository access. GitHub App tokens only access org repos where the app is installed, unlike OAuth Apps which use scope-based access. We solved this by having users install the GitHub App on their organizations.

What we learned

Auth0 for AI Agents introduces a new pattern: delegated credential access for AI agents. Instead of agents storing credentials themselves (a major security risk), Token Vault acts as a secure intermediary. The agent proves who it's acting for (via the user's Auth0 token), and Auth0 returns the third-party credential for that single operation.

This pattern is applicable far beyond skill verification — any AI agent that needs to act on a user's behalf (sending emails, managing files, calling APIs) can use Token Vault to do so without credential exposure.

Zero-knowledge guarantees

  • Raw source code is never fetched
  • GitHub token lives in memory only for the duration of one request
  • No commit messages, email addresses, or contributor names are collected
  • The GitHub token is never returned to the frontend or written to any log

Built With

  • fastapi
  • next
Share this project:

Updates