Motivation
With the rapid adoption of AI Agent ecosystems, the security boundary of "Skills" has become a critical concern. NVIDIA/SkillSpector is currently trending (5.3k+ stars) specifically because it addresses the "black box" fear of third-party agent skills, focusing on static analysis and permission auditing. However, static scanning is only the first line of defense. As aisuite gains traction by standardizing multi-model integration, the operational risk shifts from "which model to use" to "how to safely execute arbitrary code within a skill."
Current enterprise deployments often face a gap: a skill might pass static SAST (which skillhub is already working on), but at runtime, it could still perform unintended network calls, access sensitive local files, or exhaust system resources. To truly match the "Security-by-Design" narrative driving today's enterprise AI adoption, we need runtime enforcement, not just static analysis.
Proposed feature
I propose adding a Runtime Sandbox & Egress Policy Engine to skillhub's execution environment. This feature would allow administrators to define strict execution policies for skill packages before they are deployed or invoked.
Key capabilities:
- Network Egress Control: Allow/Deny specific domains or IPs via a configurable policy list (similar to Kubernetes NetworkPolicies). Skills should be isolated from the host network by default.
- Filesystem Isolation: Mount skill code and required assets into a read-only volume, with explicit, scoped write permissions only for designated temporary directories.
- Resource Quotas: Enforce CPU and memory limits per skill execution instance to prevent DoS scenarios.
- Audit Logging: Log all system calls and network requests during execution for post-mortem analysis, integrating with
skillhub's existing audit log module.
Implementation suggestion:
- Leverage existing lightweight containerization (e.g., gVisor or Firecracker microVMs) or Linux namespaces/cgroups for isolation.
- Expose these policies via a new
security_policy field in the skill metadata schema.
- Provide a CLI tool
skillhub scan --runtime to simulate execution and validate policy compliance before publishing.
Why it fits this repo
iflytek/skillhub is positioned as a "Self-hosted, open-source agent skill registry for enterprises." The existing roadmap already includes SAST integration. Adding runtime sandboxing completes the security lifecycle (Static Analysis + Runtime Enforcement). This directly addresses the enterprise pain point highlighted by the NVIDIA/SkillSpector trend: providing a trusted, governed environment for executing third-party or internal skills, distinguishing skillhub from simple code repositories.
References
- NVIDIA/SkillSpector: Trending repo focusing on agent skill security governance.
- andrewyng/aisuite: Trending repo highlighting the need for standardized, safe AI integration layers.
Motivation
With the rapid adoption of AI Agent ecosystems, the security boundary of "Skills" has become a critical concern.
NVIDIA/SkillSpectoris currently trending (5.3k+ stars) specifically because it addresses the "black box" fear of third-party agent skills, focusing on static analysis and permission auditing. However, static scanning is only the first line of defense. Asaisuitegains traction by standardizing multi-model integration, the operational risk shifts from "which model to use" to "how to safely execute arbitrary code within a skill."Current enterprise deployments often face a gap: a skill might pass static SAST (which
skillhubis already working on), but at runtime, it could still perform unintended network calls, access sensitive local files, or exhaust system resources. To truly match the "Security-by-Design" narrative driving today's enterprise AI adoption, we need runtime enforcement, not just static analysis.Proposed feature
I propose adding a Runtime Sandbox & Egress Policy Engine to
skillhub's execution environment. This feature would allow administrators to define strict execution policies for skill packages before they are deployed or invoked.Key capabilities:
skillhub's existing audit log module.Implementation suggestion:
security_policyfield in the skill metadata schema.skillhub scan --runtimeto simulate execution and validate policy compliance before publishing.Why it fits this repo
iflytek/skillhubis positioned as a "Self-hosted, open-source agent skill registry for enterprises." The existing roadmap already includes SAST integration. Adding runtime sandboxing completes the security lifecycle (Static Analysis + Runtime Enforcement). This directly addresses the enterprise pain point highlighted by theNVIDIA/SkillSpectortrend: providing a trusted, governed environment for executing third-party or internal skills, distinguishingskillhubfrom simple code repositories.References