Motivation
With the rapid rise of "Skills as Code" ecosystems (e.g., addyosmani/agent-skills, obra/superpowers), the attack surface for Agent Supply Chain attacks is expanding. The trending NVIDIA/SkillSpector highlights a critical industry gap: while skill discovery is solved, skill security is not. Enterprises adopting self-hosted registries like iflytek/skillhub face a significant risk of malicious code injection or data exfiltration via compromised skill packages.
Currently, skillhub offers RBAC and audit logs, which are excellent for governance, but lacks an automated technical verification layer. Without static analysis, a malicious actor could publish a skill that appears benign in metadata but executes harmful scripts during runtime.
Proposed feature
Integrate a pre-publish static analysis step into the skill publishing workflow (via CLI or API hook). The pipeline should:
- Extract Skill Manifest & Code: Parse the skill package structure (YAML/JSON manifest + code artifacts).
- Run SAST Scanning: Integrate a lightweight, open-source SAST tool (e.g.,
bandit for Python, semgrep for general code) to scan for:
- Hardcoded secrets/API keys.
- Dangerous function calls (e.g.,
os.system, eval, exec).
- Network requests to unauthorized external domains.
- Privilege escalation patterns.
- Policy Enforcement: Allow admins to define severity thresholds (e.g., block publish on
HIGH/CRITICAL vulnerabilities).
- Audit Logging: Record the scan results and security score in the skill's audit trail, making security visibility explicit to consumers.
Why it fits this repo
iflytek/skillhub positions itself as the "Self-hosted, open-source agent skill registry for enterprises." Security is the primary barrier for enterprise adoption of external skills. By adding built-in SAST, skillhub evolves from a simple artifact repository into a Secure Skill Gateway. This directly addresses the pain point highlighted by NVIDIA/SkillSpector but integrates it natively into the registry lifecycle, offering a seamless "secure-by-default" experience for Astron users.
References
- NVIDIA/SkillSpector - Highlights the market demand for security scanning in agent skills.
- addyosmani/agent-skills - Demonstrates the volume and variety of skills being published, increasing the need for automated vetting.
- obra/superpowers - Another example of growing skill ecosystems requiring governance.
Motivation
With the rapid rise of "Skills as Code" ecosystems (e.g.,
addyosmani/agent-skills,obra/superpowers), the attack surface for Agent Supply Chain attacks is expanding. The trendingNVIDIA/SkillSpectorhighlights a critical industry gap: while skill discovery is solved, skill security is not. Enterprises adopting self-hosted registries likeiflytek/skillhubface a significant risk of malicious code injection or data exfiltration via compromised skill packages.Currently,
skillhuboffers RBAC and audit logs, which are excellent for governance, but lacks an automated technical verification layer. Without static analysis, a malicious actor could publish a skill that appears benign in metadata but executes harmful scripts during runtime.Proposed feature
Integrate a pre-publish static analysis step into the skill publishing workflow (via CLI or API hook). The pipeline should:
banditfor Python,semgrepfor general code) to scan for:os.system,eval,exec).HIGH/CRITICALvulnerabilities).Why it fits this repo
iflytek/skillhubpositions itself as the "Self-hosted, open-source agent skill registry for enterprises." Security is the primary barrier for enterprise adoption of external skills. By adding built-in SAST,skillhubevolves from a simple artifact repository into a Secure Skill Gateway. This directly addresses the pain point highlighted byNVIDIA/SkillSpectorbut integrates it natively into the registry lifecycle, offering a seamless "secure-by-default" experience for Astron users.References