Security Policy
The complete Skills IL policy for skill security and user protection
Security Commitment
Skills IL employs multiple layers of protection to secure skills on the platform. Every skill goes through automated analysis and manual approval before publication.
Review Process
Step 1: Permission Analysis
Each skill declares the tools it needs. The system analyzes these permissions and rates them by risk level. Skills that require broad permissions (such as terminal or filesystem access) receive lower scores, while skills with narrow permissions are rated higher.
Step 2: Risky Pattern Detection
The system scans skill content to identify concerning patterns, including:
- Environment variable access
- Filesystem operations
- Network calls
- Dynamic code execution
This detection is content-based and flags patterns that may indicate risky behavior.
Step 3: External Security Scanners
Every skill repo runs against Snyk and Cisco Skill Scanner in CI. Results are shown on the skill's page.
In addition, the skill goes through Tank — a 6-stage deep security scanner covering secret scanning, static analysis, prompt injection detection, and dependency auditing.
Step 4: GitHub Verification
Every skill is checked against the open agentskills.io spec and GitHub's security signals. The check produces a Security Scorecard with 15 signals across three tiers:
- Critical (5): spec compliance, secret scanning, code scanning, Sigstore-signed release, declared license
- Recommended (8): tag protection, branch protection, signed commits, SECURITY.md, MFA, CODEOWNERS, Dependabot, semver match
- Bonus (2): fresh release, tree SHA matches HEAD
A skill passing all 5 Critical signals earns the green "Verified ✓" badge. Release signals refresh on every push; repo-settings signals refresh weekly.
Step 5: Manual Approval
Every new skill requires manual approval before publication. Skills are not visible to the public until approved, and can be rejected with notes.
Step 6: Trust Score
Each skill receives a trust score based on multiple dimensions, including:
- Code Quality - community activity around the project
- Permissions - level of access the skill requires
- Data Handling - presence of sensitive patterns
- Publisher Reputation - publishing history
- Maintenance - project freshness
- Documentation - completeness of documentation and licensing
The score determines the trust tier: Verified, Trusted, Community, or Under Review.
Step 7: Quality & Effectiveness Verification
Beyond technical security, we verify that skills actually work as intended:
Eval Pipeline:
- Draft - Initial skill authoring
- Test - Running real scenarios with the skill against the agent
- Grade - Evaluating results: Did the skill trigger correctly? Was the output accurate? Was the workflow efficient?
- Iterate - Fixing based on findings and returning to step 2
Agent Verification:
Every skill is tested against the agents it declares in supported_agents. We verify that the skill loads, triggers, and produces consistent results across each supported agent.
Portability Assessment: Skills that depend on agent-specific capabilities (such as unique MCP tools or advanced terminal commands) are marked accordingly. Portable skills are rated higher.
Structured Community Feedback: User reviews include per-agent ratings, which help identify environment-specific issues and drive targeted improvements to the skill.
Frontmatter Security
Skill definitions (frontmatter) appear in the agent's system prompt. Therefore:
- Content that could be used for prompt injection is rejected by validation
- Reserved AI provider names are blocked
- Definitions are parsed safely without code execution
- Displayed content is sanitized before rendering
Vulnerability Reporting
If you found a security vulnerability, please report it privately through one of the following channels:
- Private report on GitHub - preferred, allows private discussion until a fix is released
- Email: security@agentskills.co.il
Important: Please do not open a public issue for security vulnerabilities. Private reporting allows us to fix the problem before it is disclosed.
We aim to address every report within 48 hours.
Updates
This policy is regularly updated. Last update: March 2026.