Secure AI Skills Checklist
Use this checklist before publishing any AI agent skill to ensure it follows security best practices.
Manifest Security
- Minimal permissions — Only declare permissions your skill actually needs
- Explicit network allowlist — List specific domains, avoid wildcards
- Scoped filesystem access — Use specific paths, never
/or~ - No hardcoded secrets — Use environment variables for credentials
- Version pinned dependencies — Lock all dependency versions
Code Security
- No
eval()orFunction()— Dynamic code execution is blocked - No shell injection — Sanitize all inputs to shell commands
- No SQL injection — Use parameterized queries
- No path traversal — Validate and sanitize file paths
- No SSRF vulnerabilities — Validate and restrict URLs
Prompt Injection Prevention
- Input sanitization — Escape or remove special characters from user input
- Output validation — Check LLM outputs before executing actions
- Separation of concerns — Don't mix user input with system prompts
- Rate limiting — Implement request limits to prevent abuse
Secret Management
- No secrets in code — Never hardcode API keys, tokens, or passwords
- No secrets in packages — Do not ship
.envfiles, private keys, or credential-bearing config - Secret rotation support — Design for key rotation without code changes
- Audit logging — Log sensitive operations without logging secret values
Dependency Security
- Minimal dependencies — Only include what you need
- Trusted sources — Only use well-maintained packages
- No deprecated packages — Use actively maintained alternatives
- Lockfile committed — Include
bun.lockor equivalent
Permission Best Practices
| Permission Type | ✅ Good Practice | ❌ Avoid |
|---|---|---|
| Network | ["https://api.example.com"] | ["*"] or ["https://*"] |
| Filesystem Read | ["./data/**"] | ["/**"] or ["~/**"] |
| Filesystem Write | ["./output/**"] | ["/**"] or home directory |
Runtime Security
- Graceful degradation — Handle permission denials without crashing
- Clear error messages — Tell users what permission is needed and why
- No privilege escalation — Don't attempt to bypass permission checks
- Secure defaults — Fail closed, not open
Before Publishing
# Run the security scanner (6-stage pipeline)
tank scan
# Verify lockfile integrity
tank verify
# Check for secrets accidentally committed
git diff --cached | grep -i "api_key\|secret\|token\|password"
# Audit dependencies
npm auditSecurity Scan Results
Tank's 6-stage pipeline will flag:
| Severity | Examples | Result |
|---|---|---|
| Critical | Hardcoded secrets, code injection | ❌ FAIL — Must fix |
| High | SQL injection, path traversal | ❌ FAIL — Must fix |
| Medium | Deprecated deps, broad permissions | ⚠️ FLAGGED — Review required |
| Low | Missing docs, style issues | ✅ PASS with notes |
Scanning Tools
Tank uses multiple security scanners in a 6-stage pipeline:
| Stage | Tool | Purpose |
|---|---|---|
| Stage 2 | AST + regex analysis | Static analysis for code patterns |
| Stage 2 | Bandit | Python security linter |
| Stage 3 | Cisco Skill Scanner | AI agent threat detection |
| Stage 3 | Snyk Agent Scan | Prompt injection & tool poisoning detection |
| Stage 4 | detect-secrets | Secret/credential detection |
| Stage 5 | OSV API | Dependency vulnerability scanning |
Snyk Agent Scan is optional and cloud-dependent. If unavailable, scanning continues with local tools.
Getting Help
- Security questions: Open an issue on GitHub
- Vulnerability report: Email [email protected]
- Documentation: Security Model
This checklist is partially enforced automatically by `tank scan` and install-time checks. Run it early and often during development. See the [Security Model](/docs/security) for the actual enforcement model.