Security & Permissions

How Skillbase enforces skill permissions at runtime with proxy tools, content scanning, and audit logging.

Overview

Skillbase implements a 3-layer security model to protect AI agents from malicious or misconfigured skills:

Publish-time scanning — automated analysis of skill content before it enters the registry
Load-time protection — content isolation and permission policy enforcement when skills are loaded into context
Runtime enforcement — Permission Proxy Tools validate every operation against the skill's declared permissions

No other AI skill platform enforces runtime permissions on skill actions.

Permission declaration

Every skill declares its required permissions in SKILL.md frontmatter:

security:
  permissions: [file:read, file:write]

Available permissions

Permission	Description
`file:read`	Read files from the filesystem
`file:write`	Write or create files
`file:delete`	Delete files
`bash:execute`	Execute shell commands
`network:allowlist`	Make HTTP requests
`network:none`	No network access (explicit opt-out)
`tool:*`	Wildcard — grants all permissions

File scope

The file_scope field restricts file operations to specific directories:

{
  "security": {
    "permissions": ["file:read", "file:write"],
    "file_scope": ["/home/user/project", "/tmp/skill-workspace"]
  }
}

Path traversal attacks (e.g. ../../etc/passwd) are automatically blocked
If file_scope is omitted or empty, file operations are unrestricted (only the permission itself gates access)

Permission Proxy Tools

When a skill is loaded, spm provides four proxy tools that enforce the skill's declared permissions:

Proxy tool	Required permission	Replaces
`skill_exec_bash`	`bash:execute`	Native Bash tool
`skill_exec_write`	`file:write`	Native Write tool
`skill_exec_read`	`file:read`	Native Read tool
`skill_exec_fetch`	`network:allowlist`	Native fetch/curl

How it works

When skill_load is called, spm stores the skill's permissions and file_scope in the session
A permission policy is injected into the response, routing the model to use proxy tools
Each proxy tool call checks the operation against the session's permission state
If denied, the tool returns permission_denied and records a violation feedback entry
If allowed, the operation executes normally

Example: allowed operation

Skill "docx-gen" declares: permissions: ["file:read", "file:write"]

Model calls skill_exec_write({ path: "/home/user/project/output.docx", content: "..." })
  -> Permission check: file:write granted
  -> File scope check: passed
  -> Result: { written: true, path: "/home/user/project/output.docx", bytes: 1234 }

Example: denied operation

Skill "docx-gen" declares: permissions: ["file:read", "file:write"]

Model calls skill_exec_bash({ command: "rm -rf /tmp/cache" })
  -> Permission check: bash:execute NOT granted
  -> Violation recorded
  -> Result: { error: "permission_denied" }

Violation tracking

Permission violations are automatically recorded as feedback entries with result violation. This feeds into the confidence scoring system:

Skills that trigger violations see their confidence score decrease over time
Low-confidence skills (< 0.5) are treated as guidance rather than strict instructions
Repeated violations signal a misconfigured or potentially malicious skill

Audit log

Every proxy tool call is recorded in the session's audit log with the skill name, tool, action, and whether it was allowed or denied. The audit log can be extended with persistent storage via the plugin system.

Publish-time scanning

Every skill published to the official registry is automatically scanned for security threats including system prompt impersonation, instruction override attempts, data exfiltration patterns, privilege escalation, and undeclared capabilities.

Skills receive a safety status: clean, flagged, or blocked.

The specific detection patterns and scoring logic are intentionally kept private to prevent adversarial evasion. Self-hosted registries can implement their own safety checks via the plugin system.

Load-time protection

Skill content loaded into AI agents is protected with multiple techniques including Microsoft Spotlighting — a content isolation method that helps models distinguish between trusted instructions and untrusted skill data.

The implementation details of load-time protection are intentionally not documented to prevent evasion.

One-click install security

The spm:// protocol allows one-click skill installation from the web. Every request passes through multiple security layers:

Package name validation — only @author/name format accepted
OS confirmation dialog — mandatory native dialog on every request, no bypass possible
Rate limiting — requests are throttled to prevent abuse
Auto-reject timeout — requests without user response are automatically rejected

Configuration

Proxy tools are enabled by default. To disable:

// ~/.spm/config.json
{
  "tools": {
    "skill_exec": false
  }
}

When disabled, skills load and execute normally without permission enforcement.

PreviousPersonas

NextCLI Reference