Skills are markdown instructions that agents follow with real tool access. Importing a community skill is importing executable intent — which makes this repository a prompt-injection surface. A malicious "skill" could instruct an agent to exfiltrate credentials, install a backdoor, or quietly override its other instructions.
Every PR runs scripts/safety-lint.mjs over the changed skills. The deny-pattern list lives in scripts/deny-patterns.json — versioned, in-repo, PRs welcome to extend it. It currently covers:
- Downloads piped to shells (
curl … | sh,wget … | bash) - Base64-decode-then-execute chains
- Writes to
~/.ssh, shell rc files, or crontabs - Raw-IP or non-HTTPS URLs
- Credential-file reads (
.env, keychains,~/.aws, ssh keys) - Instruction-override phrases ("ignore previous instructions" and kin)
A hit does not auto-reject the PR. Legitimate skills sometimes mention these patterns to warn against them. A hit blocks merge until a maintainer reviews the context and applies the security-reviewed label. Attempted obfuscation around the patterns is treated as malicious and closed.
- It does not sandbox or execute anything — it's a static lint.
- It does not review your own forging. SkDD has no review gate on creating skills in your own colony; the gate here exists because the Commons crosses a trust boundary: strangers shipping instructions to strangers' agents.
- It is not a guarantee. Read what you import.
skdd addvalidates and records provenance, but the instructions still run with your agent's permissions.
- A malicious or dangerous skill in this repo: open a private security advisory. Do not open a public issue first.
- A gap in the deny-pattern list: a public PR against
scripts/deny-patterns.jsonis fine — the list is deliberately public. - Vulnerabilities in the
skddCLI itself: report at the main repo.