skill-vetter
- Repo stars 4,826
- Author updated Live
- Author repo magic
- Domain
- Security
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @dtyq · no license declared
- Token usage
- Lean
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-vetter
description: Security-first skill vetting protocol for AI agents. Use before installing any skill from the pl…
category: security
runtime: no special runtime
---
# skill-vetter output preview
## PART A: Task fit
- Use case: Security-first skill vetting protocol for AI agents. Use before installing any skill from the platform skill market, skillhub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns to determine whether a skill is safe to install..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “何时使用 / When to Use / 审查协议” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Security-first skill vetting protocol for AI agents. Use before installing any skill from the platform skill market, skillhub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns to determine whether a skill is safe to install.”.
- **02** When the source has headings, the agent prioritizes “何时使用 / When to Use / 审查协议” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source mentions slash commands such as `/tmp`; use them first when your agent supports command triggers.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands.
Start with a small task and check whether the result follows “何时使用 / When to Use / 审查协议”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: skill-vetter
description: Security-first skill vetting protocol for AI agents. Use before installing any skill from the pl…
category: security
source: dtyq/magic
---
# skill-vetter
## When to use
- Security-first skill vetting protocol for AI agents. Use before installing any skill from the platform skill market, s…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “何时使用 / When to Use / 审查协议” and keep inference separate from source facts.
- read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "skill-vetter" {
input -> user goal + target files + boundaries + acceptance criteria
context -> 何时使用 / When to Use / 审查协议
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files, run shell commands | may access external network resources
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Skill Vetter
Security-first vetting protocol for AI agent skills. Never install a skill without vetting it first.
When to Use
- Before installing any skill from the platform skill market
- Before installing external skills from skillhub
- Before running skills from GitHub repositories
- When evaluating skills shared by other agents
- Anytime you are asked to install unknown code
Vetting Protocol
Step 1: Source Check
Questions to answer:
- Where did this skill come from? (platform market / skillhub / GitHub / other)
- Is the author known or reputable?
- How many downloads or stars does it have?
- When was it last updated?
- Are there reviews from other agents?
Step 2: Preview Install to Temp Dir, Then Read All Files
Do not install to the real skills directory yet. Install to a temp directory first for inspection.
Choose the preview method based on the source:
skillhub source (supports --dir for temp directory):
skillhub --dir /tmp/skillhub-preview/ install <slug>
After install, use shell_exec to list and read all files:
# 列出所有文件
shell_exec(command="find /tmp/skillhub-preview/<skill-name> -type f | sort")
# 逐一读取(对每个文件执行)
shell_exec(command="cat /tmp/skillhub-preview/<skill-name>/SKILL.md")
shell_exec(command="cat /tmp/skillhub-preview/<skill-name>/scripts/<file>.py")
# ... 依次读取所有脚本、配置、引用文件
If approved, run the normal install without --dir. Either way, clean up the temp dir:
shell_exec(command="rm -rf /tmp/skillhub-preview/")
Platform market / my skill library source (also supports --dir for temp directory):
shell_exec(command="skillhub install-platform-me <code> --dir /tmp/skillhub-preview/")
# or
shell_exec(command="skillhub install-platform-market <code> --dir /tmp/skillhub-preview/")
After install, use shell_exec to list and read all files:
# 列出所有文件
shell_exec(command="find /tmp/skillhub-preview/<skill-name> -type f | sort")
# 逐一读取
shell_exec(command="cat /tmp/skillhub-preview/<skill-name>/SKILL.md")
shell_exec(command="cat /tmp/skillhub-preview/<skill-name>/scripts/<file>.py")
# ... 依次读取所有文件
If approved, run the normal install without --dir. Either way, clean up the temp dir:
shell_exec(command="rm -rf /tmp/skillhub-preview/")
Step 3: Code Review (MANDATORY)
Read ALL files in the skill. Reject immediately if any of the following are present:
REJECT IMMEDIATELY IF YOU SEE:
─────────────────────────────────────────
- curl/wget to unknown URLs
- Sends data to external servers
- Requests credentials, tokens, or API keys
- Reads ~/.ssh, ~/.aws, ~/.config without clear reason
- Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
- Uses base64 decode on anything
- Uses eval() or exec() with external input
- Modifies system files outside the workspace
- Installs packages without listing them explicitly
- Network calls to raw IP addresses instead of domains
- Obfuscated code (compressed, encoded, or minified)
- Requests elevated or sudo permissions
- Accesses browser cookies or sessions
- Touches credential files
─────────────────────────────────────────
Step 4: Permission Scope
Evaluate:
- What files does it need to read?
- What files does it need to write?
- What commands does it run?
- Does it need network access? To where?
- Is the scope minimal for its stated purpose?
Step 5: Risk Classification
| Risk Level | Examples | Action |
|---|---|---|
| LOW | Notes, weather, formatting | Basic review, install OK |
| MEDIUM | File ops, browser, external APIs | Full code review required |
| HIGH | Credentials, trading, system commands | Human approval required |
| EXTREME | Security configs, root access | Do NOT install |
Output Format
After vetting, produce this report:
SKILL VETTING REPORT
=======================================
Skill: [name]
Source: [platform market / skillhub / GitHub / other]
Author: [username]
Version: [version]
---------------------------------------
METRICS:
- Downloads/Stars: [count]
- Last Updated: [date]
- Files Reviewed: [count]
---------------------------------------
RED FLAGS: [None / list them]
PERMISSIONS NEEDED:
- Files: [list or "None"]
- Network: [list or "None"]
- Commands: [list or "None"]
---------------------------------------
RISK LEVEL: [LOW / MEDIUM / HIGH / EXTREME]
VERDICT: [SAFE TO INSTALL / INSTALL WITH CAUTION / DO NOT INSTALL]
NOTES: [Any observations]
=======================================
Trust Hierarchy
- Official platform skills (published via platform market) — lower scrutiny (still review)
- High-star repos (1000+) — moderate scrutiny
- Known authors — moderate scrutiny
- New or unknown sources — maximum scrutiny
- Skills requesting credentials — human approval always required
Principles
- No skill is worth compromising security
- When in doubt, do not install
- Escalate high-risk decisions to the user
- Document what you vet for future reference
Decide Fit First
Design Intent
How To Use It
Boundaries And Review