Review source, permissions, execution risk, context risk, and alternatives before install. SAS-v2.1 turns public evidence into comparable decision signals.
Dimensions
15
Total weight
100
Public references
9
How the score works
SkillTrust shows one user-facing pre-install score. SAS-v2.1 is the 15-dimension audit basis behind it; evidence completeness explains how much public evidence supports it; source, maintenance, and community signals stay as score basis instead of separate scores.
1.Start with source and publisher traceability.
2.Check permission boundaries for files, network, commands, and secrets.
3.Confirm install and dependency evidence before you trust the setup.
4.Require manual confirmation for high-risk actions.
5.Compare alternatives and pick stronger-evidence candidates first.
1.Provide GitHub repo, README, license, and traceable source links.
2.Document install steps, dependency origin, permissions, and risk notes.
3.Use least privilege by default.
4.State whether commands, network, file access, or secrets are involved.
5.Add manual confirmation and rollback guidance for high-risk actions.
1.Review evidence per all 15 dimensions, not score-only.
2.Threat tags and control gaps must be traceable to public evidence.
3.Lower confidence when evidence is missing; do not fabricate high grades.
4.Manual review can add context, not unsupported upgrades.
Pre-install audit
Each dimension includes weight and action guidance so you can quickly decide whether to compare further or install.
Focus: Who published it and whether it is traceable
Next action: Review repository, author, and README first; do not install directly when source is pending.
If source, repository, or publisher is not traceable, users cannot judge ownership or remediation paths.
Focus: Whether install steps can be reviewed
Next action: Prefer candidates with install docs and repository evidence.
Install scripts, dependencies, lockfiles, and licenses decide whether users can review supply-chain risk.
Focus: Whether tool descriptions may hide instructions
Next action: Read README, rules, and tool descriptions before install.
Agents read skill descriptions, rules, and tool metadata; hidden instructions can steer behavior.
Focus: What it can access
Next action: Grant only task-required permissions and prefer Ask/manual confirmation.
Broader permissions increase blast radius after misuse or injection.
Focus: Whether it runs commands or scripts
Next action: Manually confirm command-running skills in an isolated directory.
Command execution, shell=true, spawn/exec, and install scripts are high-risk entry points.
Focus: Whether file reads/writes can escape scope
Next action: Check working directory and file access scope before running.
Unbounded file access or path joins can read sensitive files or overwrite project content.
Focus: Whether it may send data out
Next action: If unsure, restrict network access or allow only known domains.
Network, webhook, upload, browser, or RAG features may send local content to external services.
Focus: Whether it handles tokens, private keys, or agent identity
Next action: Do not provide long-lived tokens or private keys to source-pending skills.
API keys, tokens, private keys, and agent identities often cause irreversible impact when leaked.
Focus: Whether external content can steer behavior
Next action: For browser/RAG/rules skills, review permissions and confirmation controls first.
External pages, documents, rules, or tool descriptions can steer the agent into unsafe actions.
Focus: Whether memory or retrieved context can be poisoned
Next action: Try RAG/memory skills in a low-privilege environment first.
Long-term memory, vector stores, and retrieved context can carry malicious content into future tasks.
Focus: Whether external tools and MCP access are clearly bounded
Next action: Confirm which external tools it will connect to before install, and start with the smallest possible set.
Skills may call MCP servers, browsers, connectors, or external SaaS; unclear boundaries amplify authority and data risk.
Focus: Whether destructive or external actions require confirmation
Next action: Avoid directly installing high-risk skills without confirmation controls.
Delete, write, transfer, message, and data-egress actions need clear confirmation boundaries.
Focus: How far impact can spread when something goes wrong
Next action: If unsure, test in an isolated project first.
Project-bound directories, low privilege, containers, and manual confirmation reduce blast radius.
Focus: Whether actions can be traced
Next action: Prefer candidates with logs or previews.
Users need to know what the skill did, what it accessed, and where it failed.
Focus: Whether it is maintained and reusable
Next action: Check license and maintenance before organizational use.
Maintenance, docs, and license affect remediation, team adoption, and redistribution.
Public references
SAS-v2.1 maps public frameworks into SkillTrust's pre-install decision workflow.
Usage note
Scores help prioritize review and comparison. Final installation decisions should still align with your environment and permission policy.
