Pre-install audit for agent skills
Review source, permissions, execution risk, context risk, and alternatives before install. SAS-v2.1 turns public evidence into comparable pre-install decisions for agent skills.
SAS-v2.1 dimensions
Who published it and whether it is traceable
If source, repository, or publisher is not traceable, users cannot judge ownership or remediation paths.
Whether install steps can be reviewed
Install scripts, dependencies, lockfiles, and licenses decide whether users can review supply-chain risk.
Whether tool descriptions may hide instructions
Agents read skill descriptions, rules, and tool metadata; hidden instructions can steer behavior.
What it can access
Broader permissions increase blast radius after misuse or injection.
Whether it runs commands or scripts
Command execution, shell=true, spawn/exec, and install scripts are high-risk entry points.
Whether file reads/writes can escape scope
Unbounded file access or path joins can read sensitive files or overwrite project content.
Whether it may send data out
Network, webhook, upload, browser, or RAG features may send local content to external services.
Whether it handles tokens, private keys, or agent identity
API keys, tokens, private keys, and agent identities often cause irreversible impact when leaked.
Whether external content can steer behavior
External pages, documents, rules, or tool descriptions can steer the agent into unsafe actions.
Whether memory or retrieved context can be poisoned
Long-term memory, vector stores, and retrieved context can carry malicious content into future tasks.
Whether destructive or external actions require confirmation
Delete, write, transfer, message, and data-egress actions need clear confirmation boundaries.
How far impact can spread when something goes wrong
Project-bound directories, low privilege, containers, and manual confirmation reduce blast radius.
Whether actions can be traced
Users need to know what the skill did, what it accessed, and where it failed.
Whether it is maintained and reusable
Maintenance, docs, and license affect remediation, team adoption, and redistribution.
Public standard crosswalk
malicious skills · insecure permission scope · skill supply-chain abuse
unexpected code execution · agentic supply chain · memory/context poisoning · tool misuse
prompt injection · supply-chain vulnerabilities · excessive agency · insecure plugin design
tool poisoning · confused deputy · authorization boundaries · tool/server trust
govern · map · measure · manage · trustworthiness and risk management
agent permissions · RAG poisoning · memory safety · observability
inventory · ownership · least privilege · lifecycle · human oversight
source integrity · build provenance · dependency and license transparency
shell risk · path traversal · least privilege · manual confirmation
SAS-v2.1 incorporates general risk models from public Agent/MCP security research. The standard, scoring, and product language are designed by SkillTrust and do not imply third-party certification or endorsement.