How to Secure Your SKILL.md Skills

Skills are powerful because they can instruct AI agents like Claude Code, OpenClaw, and Codex CLI to read files, execute commands, and interact with your development environment. That same power means a malicious or poorly written skill could do real harm. Here's how to think about security when installing and creating skills.

What skills can access

When a skill is active, the agent operates with the same permissions you have. That means it can read and write files in your project and home directory, run shell commands, access environment variables (which often contain API keys and secrets), make network requests, and interact with databases and services.

A legitimate skill uses these capabilities to help you. A malicious skill could exfiltrate secrets, modify code, or install backdoors.

Evaluating skills before installing

Before installing any skill, especially from an unknown source:

Read the SKILL.md. Open the file and read the instructions. Look for commands that access environment variables, make network requests to unknown URLs, download and execute remote scripts, or modify files outside the project directory.

Check for scripts. If the skill includes a scripts/ folder, read every script. Look for the same red flags: network calls, environment variable access, file modifications in unexpected locations.

Consider the source. Skills from established organizations, official marketplaces, and developers with public track records carry less risk than anonymous GitHub repos with no stars.

Use reviewed marketplaces. On Agensi, every skill goes through an automated 8-point security scan and manual review before listing. The scan checks for dangerous command patterns, hardcoded secrets, obfuscation, environment variable harvesting, and prompt injection. This doesn't guarantee perfection, but it's a meaningful filter.

Writing secure skills

If you're creating skills for yourself or your team:

Don't hardcode secrets. Never put API keys, tokens, or passwords in your SKILL.md. Reference environment variables by name and let the agent access them at runtime.

Scope file access. Instruct the agent to only read and modify files within the project directory. Avoid instructions that reference ~/, /etc/, or other system paths.

Be explicit about commands. Instead of "run whatever commands are needed," specify exactly which commands the skill should run. This makes the skill more predictable and easier to audit.

Use disable-model-invocation for risky actions. Skills that deploy code, send messages, or make irreversible changes should always have disable-model-invocation: true so they only run when you explicitly invoke them.

Document what the skill accesses. In your SKILL.md, note which files, commands, and environment variables the skill needs. This helps users (and reviewers) understand the skill's surface area.

The Agensi security model

For context on how Agensi approaches skill security, our review process checks every submission for file structure validity, prohibited file types, dangerous command patterns (rm -rf, curl to unknown domains, eval of dynamic content), hardcoded secrets and tokens, environment variable harvesting beyond what the skill needs, outbound network access to suspicious URLs, code obfuscation, and prompt injection attempts.

Skills that fail the automated scan are rejected. Skills that pass go through manual review. This process is best-effort and doesn't guarantee that a skill is completely safe, but it significantly reduces the risk compared to installing unreviewed skills from the internet.

Read more about our security practices on the security page. Browse security-reviewed skills on the Agensi marketplace.