Add an AgentSkills security rule for secure skill creation

[ramraaj25]

As AI agents are increasingly being used not only to write code, but also to create and maintain agent skills, I think Project CodeGuard should consider adding a new rule focused on AgentSkills security.

Project CodeGuard already positions itself as a model-agnostic security framework for AI coding agents, with skills and rules intended to guide secure behavior before, during, and after code generation. It also already treats skills and rules as first-class artifacts in the workflow. That makes secure skill creation a natural extension of the project scope. :contentReference[oaicite:1]{index=1}

This feels especially timely because OWASP’s Agentic Skills Top 10 now highlights security risks specific to agent skills across ecosystems including OpenClaw, Claude Code, Cursor/Codex, and VS Code. OWASP describes skills as the execution/behavior layer that controls workflow orchestration, tool use, filesystem/network/shell access, safety guardrails, and persistent state, and it recommends practices such as verified publishers, automated scanning, permission review, and version pinning.

Why this could be useful

A CodeGuard rule here could provide best-practice guidance for agents when they are asked to create or modify skills, for example:

• declare the minimum required permissions and avoid unnecessary capabilities
• make file system, shell, and network access explicit and narrowly scoped
• avoid hidden side effects, unsafe defaults, or ambiguous tool behavior
• require provenance, publisher verification, and integrity checks where relevant
• encourage review/scanning of skills before publishing or installation
• pin versions and dependencies to reduce malicious or breaking updates
• document security boundaries, expected inputs, outputs, and failure modes

Possible scope

This could be introduced either as:

1. a new standalone rule for secure skill authoring and packaging, or
2. a broader skill-security rule family covering authoring, distribution, installation, and runtime expectations

Open questions

• Should this be a single rule or a small ruleset?
• Should it be limited to coding-agent skills, or cover agent skill manifests more generally?
• Should CodeGuard align terminology and recommendations directly with OWASP Agentic Skills Top 10 where possible?

I’d be interested in feedback on whether this fits the current CodeGuard roadmap and, if so, what the initial MVP for such a rule should include.

[musaabhasan]

A secure-skill rule would be useful if it treats skills as executable influence, not just documentation. A malicious or careless skill can change how an agent selects tools, handles secrets, edits files, or interprets user intent.

The rule could check for several patterns:

• instructions that request broad filesystem, network, or credential access without a task-specific reason
• hidden or obfuscated instructions in examples, comments, metadata, or embedded files
• skill text that tells the agent to ignore higher-priority instructions or user confirmations
• unsafe shell patterns, destructive commands, or exfiltration workflows
• missing declaration of required tools, permissions, and external services
• lack of provenance: no owner, version, source repository, or review history

For remediation, the rule should require a minimal manifest: purpose, owner, version, required tools, permission scope, expected inputs/outputs, and safety constraints. That makes skills auditable and gives reviewers something concrete to approve.