Skip to content

Implement runtime sandboxing and egress policy enforcement for skill execution #522

Description

@FenjuFu

Motivation

With the rapid adoption of AI Agent ecosystems, the security boundary of "Skills" has become a critical concern. NVIDIA/SkillSpector is currently trending (5.3k+ stars) specifically because it addresses the "black box" fear of third-party agent skills, focusing on static analysis and permission auditing. However, static scanning is only the first line of defense. As aisuite gains traction by standardizing multi-model integration, the operational risk shifts from "which model to use" to "how to safely execute arbitrary code within a skill."

Current enterprise deployments often face a gap: a skill might pass static SAST (which skillhub is already working on), but at runtime, it could still perform unintended network calls, access sensitive local files, or exhaust system resources. To truly match the "Security-by-Design" narrative driving today's enterprise AI adoption, we need runtime enforcement, not just static analysis.

Proposed feature

I propose adding a Runtime Sandbox & Egress Policy Engine to skillhub's execution environment. This feature would allow administrators to define strict execution policies for skill packages before they are deployed or invoked.

Key capabilities:

  1. Network Egress Control: Allow/Deny specific domains or IPs via a configurable policy list (similar to Kubernetes NetworkPolicies). Skills should be isolated from the host network by default.
  2. Filesystem Isolation: Mount skill code and required assets into a read-only volume, with explicit, scoped write permissions only for designated temporary directories.
  3. Resource Quotas: Enforce CPU and memory limits per skill execution instance to prevent DoS scenarios.
  4. Audit Logging: Log all system calls and network requests during execution for post-mortem analysis, integrating with skillhub's existing audit log module.

Implementation suggestion:

  • Leverage existing lightweight containerization (e.g., gVisor or Firecracker microVMs) or Linux namespaces/cgroups for isolation.
  • Expose these policies via a new security_policy field in the skill metadata schema.
  • Provide a CLI tool skillhub scan --runtime to simulate execution and validate policy compliance before publishing.

Why it fits this repo

iflytek/skillhub is positioned as a "Self-hosted, open-source agent skill registry for enterprises." The existing roadmap already includes SAST integration. Adding runtime sandboxing completes the security lifecycle (Static Analysis + Runtime Enforcement). This directly addresses the enterprise pain point highlighted by the NVIDIA/SkillSpector trend: providing a trusted, governed environment for executing third-party or internal skills, distinguishing skillhub from simple code repositories.

References

  • NVIDIA/SkillSpector: Trending repo focusing on agent skill security governance.
  • andrewyng/aisuite: Trending repo highlighting the need for standardized, safe AI integration layers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    effort/l大改动或高风险改动,需要 maintainer 负责 / Large or risky change requiring maintainer ownership.priority/p2中优先级 / Medium priority triage bucket.triage/needs-info需要补充更多信息后才能分流 / Issue needs more detail before it can be routed.

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions