mikeparcewski/trust-and-safety
skills/agentic/trust-and-safety/SKILL.md
Trust, safety, and control patterns for production agentic systems with human-in-the-loop gates and guardrails. Use when: designing guardrails or human-in-the-loop gates for an agent, or hardening an agentic system against prompt injection.
$ install --global
skillsauthnpx skillsauth add mikeparcewski/wicked-garden trust-and-safetyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 7, 2026, 6:24 AM279.5s6 files scanned
SKILL.md
- name:
- trust-and-safety
- description:
- |
- Use when:
- designing guardrails or human-in-the-loop gates for an agent, or
- portability:
- portable
- phase_relevance:
- ["design", "review"]
- archetype_relevance:
- ["*"]
Trust and Safety
Essential patterns for building safe, trustworthy, production-ready agentic systems.
Core Principles
- Least Privilege: Agents have minimum necessary permissions
- Defense in Depth: Multiple layers of safety checks
- Fail Safe: Errors should fail toward safety, not capability
- Human Oversight: High-stakes decisions require human approval
- Auditability: All decisions and actions are logged and traceable
- Graceful Degradation: System remains safe even when components fail
Human-in-the-Loop Gates
When to Add Human Gates
Always require approval for:
- Production data modifications (delete, update critical data)
- Financial transactions above threshold
- Communications to external parties
- Credential or security changes
- Irreversible operations
Consider approval for:
- First-time operations
- Operations outside normal patterns
- Low-confidence decisions
- Operations near resource limits
Implementation Pattern
async def execute_with_approval(action, threshold=0.8):
if action.confidence < threshold or action.is_high_stakes():
approval = await request_human_approval(action)
if not approval.approved:
raise ApprovalDenied(approval.reason)
return await action.execute()
Approval Workflow Design
Synchronous Approval: Block until human responds (for urgent decisions) Asynchronous Approval: Queue for later review (for batch operations) Escalation Chains: Route to higher authority if primary approver unavailable Timeout Handling: Define what happens if no approval received
See refs/guardrails-input-output.md, refs/guardrails-actions.md, and refs/guardrails-resources.md for detailed implementation patterns.
Output Validation
Structured Output Validation
Force outputs into validated schemas using Pydantic or similar.
Content Validation
Check outputs before acting on them:
- Format validation: Matches expected structure
- Range validation: Numeric values within acceptable bounds
- Completeness validation: Required fields are present
- Consistency validation: Outputs are internally consistent
Hallucination Detection
Cross-Validation: Multiple agents check same fact Source Verification: Verify claims against ground truth Confidence Thresholds: Reject low-confidence outputs Fact Checking: Use retrieval to verify factual claims
See refs/guardrails-input-output.md for code examples.
Action Constraints and Sandboxing
Whitelisting
Safer than blacklisting. Define allowed commands/actions explicitly.
Sandboxing
Isolate agent execution:
- Containerization: Run agents in Docker containers
- Virtual environments: Separate Python/Node environments
- File system restrictions: Limit access to specific directories
- Network isolation: Control network access
Resource Limits
Prevent runaway resource usage:
- Max runtime (timeouts)
- Max memory
- Max tokens per request/session
- Max API calls
See refs/guardrails-actions.md and refs/guardrails-resources.md for implementation details.
Prompt Injection Defense
Input Sanitization
Clean user inputs before passing to LLM. Remove instruction-like patterns.
Delimiter-Based Protection
Use clear delimiters to separate system instructions from user input.
Privilege Separation
Separate instruction and data contexts using role-based message formatting.
See refs/guardrails-input-output.md for defense patterns and code examples.
PII Detection and Protection
Pattern-Based Detection
Regex patterns for email, SSN, credit cards, phone numbers, etc.
Redaction
Replace detected PII with [REDACTED_TYPE] tokens.
PII Policies
- Never log PII in plain text
- Encrypt PII at rest and in transit
- Minimize PII collection (only collect what's needed)
- Retention limits (delete after specified period)
See refs/guardrails-input-output.md for detection and redaction code.
Hallucination Mitigation
Grounding Techniques
Retrieval-Augmented Generation (RAG): Retrieve facts before generation Citation Requirements: Require source citations for all claims
Verification Strategies
Multi-Agent Verification: Independent verification by multiple agents Confidence Calibration: Require confidence scores, reject low-confidence outputs
See refs/guardrails-actions.md and refs/guardrails-resources.md for implementation patterns.
Kill Switches and Circuit Breakers
Kill Switch: Emergency stop that halts all operations and alerts administrators. Circuit Breaker: Opens circuit after threshold failures to prevent cascading failures. Rate Limiting: Limits requests per user/time window to prevent abuse.
See refs/guardrails-actions.md and refs/guardrails-resources.md for complete implementations.
Safety Checklist
See refs/safety-checklist-core.md for the full pre-deployment checklist covering human gates, validation, whitelisting, resource limits, PII, prompt injection, hallucination, circuit breakers, rate limiting, kill switches, audit logging, and rollback. See refs/safety-checklist-advanced.md for monitoring, incidents, testing, and ops checklists.
References
refs/safety-checklist-core.md- Core safety checklist (input, output, action, auth, privacy)refs/safety-checklist-advanced.md- Advanced safety checklist (monitoring, incidents, testing, ops)refs/guardrails-input-output.md- Input validation, sanitization, prompt injection, output filteringrefs/guardrails-actions.md- Action whitelisting, approvals, sandboxed executionrefs/guardrails-resources.md- Resource limiting, monitoring, complete guardrail architecture
Related Skills
mikeparcewski/skills/engineering/large-scale-migration
development
VerifiedTrustedCommunity
--- name: large-scale-migration description: How to execute a LARGE MECHANICAL change across any codebase with LEVERAGE instead of an agent-grind or hand-edits — a cross-cutting migration, refactor, rename, dialect/framework/DB port, library adoption, or bulk transform. The map→transform→gate pattern: a deterministic transform driven by a source-of-truth map, proven by a differential-equivalence gate. Use when the work is "migrate all X to Y", "rename Z everywhere", "port to a new DB/dialect/fra
8SKILL.mdUpdated Jun 3, 2026
mikeparcewski/wicked-garden:classify
testing
VerifiedTrustedCommunity
v11 LLM-based work-shape classifier. Replaces the regex archetype detector with the model's own reasoning. Reads the user's prompt, picks the right archetype(s) from the catalog, identifies signals (blast_radius, novelty, reversibility, etc.), and persists to SessionState so subsequent turns steer correctly. Use when: the prompt_submit hook emitted a `<wg classify-due />` directive, OR explicitly invoked at session start, OR when re-classifying after the user changes scope mid-session.
8SKILL.mdUpdated May 26, 2026
mikeparcewski/wicked-garden:archetype
tools
VerifiedTrustedCommunity
v11 work-shape archetype runner. When a prompt has been routed to one of the 9 archetypes (triage, explore, specify, decide, ship, review, incident, build, migrate), this skill is the entry point. It picks the right per-archetype playbook from refs/ and executes the phase shape declared in `.claude-plugin/archetypes.json`. Use when: a `<wg archetype="X">` or `<wg archetypes>` system-reminder tag appears, an explicit "let's run the X archetype" request, or when one of the per-archetype slash commands resolves to this skill.
8SKILL.mdUpdated May 8, 2026
mikeparcewski/intent
development
VerifiedTrustedCommunity
Show or set the session intent variable. Intent gates how loud the framework is — simple-edit (silent), feature/research (synthesis directive), rigor (full crew context). Auto-detected on turn 1; this skill overrides explicitly. Sticky for the session. Use when: "set intent", "intent override", "/wicked-garden:intent", "make the framework quiet", "force rigor", "what's my intent".
8SKILL.mdUpdated May 6, 2026