skill-veil

skill-veil

Secure agent extensions.

Scan skills, prompt packs, instruction files, MCP manifests, scripts, and runtime artifacts before they become trusted agent behavior.

Download release Read the source

Agent extensions are often markdown, manifests, and natural-language instructions. skill-veil gives reviewers and CI pipelines a focused answer: should this artifact be allowed, reviewed, or blocked?

Execution model

From artifact to enforceable decision

01

Discover

Find `SKILL.md`, agent instruction files, prompt packs, MCP manifests, scripts, manifests, lockfiles, and Docker artifacts.

02

Analyze

Apply rule packs, taint checks, semantic patterns, artifact parsing, and optional external enrichment.

03

Decide

Map findings to `log`, `require_approval`, or `block` with policy profiles, waivers, baselines, and overrides.

04

Gate

Emit JSON, SARIF, SHIELD, compact summaries, and diff decisions that CI can enforce without noisy logs.

What it catches

Security signals for prose-driven software

Generic malware engines are strongest on executable reputation and binary indicators. skill-veil targets the layer where an agent extension can hide intent: instructions, helper scripts, autonomy patterns, and access to secrets or network sinks.

Open the threat model
Prompt riskinstruction tampering, persistent override language, prompt packs
Autonomyapproval bypass, unbounded loops, self-directed tool execution
Secretsreads of SSH, AWS, env files, browser cookies, identity material
Networkremote instruction fetch, callbacks, external MCP endpoints, C2-like staging
Runtimeprivileged containers, host mounts, process execution, install hooks
Supply chainunpinned dependencies, missing lockfiles, unsafe package metadata

Review artifact

Readable for humans, stable for machines

Keep JSON for diffing and baselines, upload SARIF to code scanning, and use compact summaries when the build log should show only what changed. 

skill-veil scan-package . --format json --output current.json
skill-veil diff previous.json current.json \
  --baseline .skill-veil/baseline.json \
  --waivers .skill-veil/waivers.yaml \
  --ci-summary --fail-on new-active

DIFF new_active=0 resolved=2 waived=1 baselined=3 unchanged=5

Operational fit

Install once, enforce where review happens

Install from source

git clone https://github.com/seifreed/skill-veil.git
cd skill-veil
cargo install --path crates/skill-veil-cli

Scan immediately

skill-veil init
skill-veil scan-file examples/malicious-skill/SKILL.md
skill-veil scan-package . --preset ci

Publish SARIF

skill-veil scan-package . \
  --format sarif \
  --output artifacts/current.sarif
Signed rule packs Runtime-fetched official rules are verified before they take precedence over the embedded baseline.
Auditable policy Waivers, baselines, overrides, and effective decisions are reflected in JSON reports.
Benchmark artifacts Corpus files, history reports, baseline overrides, and methodology notes are committed for review.