Best Practices
For Skill Authors
Follow these guidelines to achieve high trust scores and build secure skills.
DO
- →Declare all permissions in manifest
- →Use explicit, descriptive variable names
- →Validate all user inputs
- →Document API calls and external services
- →Use standard libraries and patterns
- →Test skills before publishing
DON'T
- →Hardcode API keys or credentials
- →Use eval(), exec(), or subprocess.run(shell=True)
- →Access credential files (~/.ssh/, ~/.aws/, .env)
- →Make undeclared network requests
- →Use obfuscation or encoding to hide intent
- →Make over-broad capability claims
Response Guidelines by Risk Level
CRITICAL (0-39)
Do not deploy
Contains exploitable vulnerabilities requiring immediate fixes. Review all CRITICAL findings and fix completely before re-submission.
HIGH (40-59)
Fix before release
Serious security risks that must be addressed. Prioritize fixes by impact (data exfiltration > resource abuse).
MEDIUM (60-79)
Review before use
Security concerns requiring careful evaluation. Manual review by experienced developer recommended.
LOW (80-100)
Safe to use
No significant security issues detected. Deploy with confidence and continue monitoring for updates.