Document skill trust model and operator security warnings#212
Open
mrmasa88 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves #109 (Phase 0 — docs only). Adds an operator-facing document explaining Skillware's skill trust model, and wires links to it from the security-relevant files.
This is documentation only. It does not change
SkillLoader, add flags, or implement sandboxing (those remain in #110–#114). It documents the current state honestly.Fixes #109
What's included
docs/security/skill-trust-model.md— the operator mental model:skill.pyin the host process with full filesystem +os.environaccess.SKILLWARE_SKILL_PATH→ cwd./skills/and parents → bundled) and shadowing.constitutionis agent guidance, not Python isolation (with thedefi/evm_tx_handlerexample)../skills/, external path) and what can go wrong.docs/security/README.md— index for the new folder.SECURITY.md(skill execution model section),docs/usage/README.md(security note on "Finding skills on disk"),CONTRIBUTING.md(registry review ≠ runtime isolation),CODE_OF_CONDUCT.md(replaced the undefined "sandboxing rules" reference with a link to the trust doc),CHANGELOG.md([Unreleased]Documentation entry).Acceptance bar
The doc leads with "None of these tiers are sandboxed today," and a new operator comes away understanding: no default sandbox, where code came from matters, and constitution ≠ isolation. No claim that sandboxing exists today.
Naming
The provenance tiers are labeled A/B/C in the doc, but Bundled / Project / External may read more clearly. Happy to rename to whichever you prefer before merge — flagged here rather than in the doc body so the page stays clean.
Made with Cursor