Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Security Considerations

This chapter summarizes security guidance from docs/security.md and docs/threat-model.md into an actionable playbook. It explains assets to protect, common attack methods, and critical configurations for a secure skrills deployment.

Assets Protected

  • High-Value Data: Includes sensitive information like user prompts, configuration files, and skill content.
  • Availability Assets: Core components vital for service continuity, including the MCP server process, the cache system, and filesystem skill roots.

Threat Model

Key Attackers:

  • Malicious Skills: Untrusted SKRILL.md content used to inject harmful instructions into prompts.
  • Supply-Chain Compromises: Vulnerabilities in compromised dependencies.
  • Local Attackers: Users with filesystem access who try to tamper with skill files or configuration.

Primary Mitigations:

  • Path canonicalization and skill-root allowlists to prevent directory traversal attacks.
  • Strict size guards (e.g., --max-bytes) to limit the impact of malicious content.
  • Future skill signing and allowlisting to reduce the skill injection attack surface.

Production Checklist

  1. Operate as an unprivileged service account and configure strict file permissions (chmod 600) for sensitive configuration files.
  2. Enable audit logging (once available) and review logs regularly.
  3. Restrict skill sources: Only load skills from trusted directories.
  4. Monitor skill content: Review skill files for suspicious content before use.

Secrets Management

  • Store secrets securely in environment variables or integrate with a dedicated secrets manager. Never commit them to version control.
  • Apply chmod 600 permissions to configuration files containing sensitive data.
  • Plan for regular credential rotations where applicable.

Deployment Patterns

  • Stdio/Local Mode: Relies on process isolation and filesystem permissions. Store secrets in environment files, not directly within manifests.
  • Claude Code Integration: The hook-based integration inherits Claude Code’s security model. Verify Claude Code itself is properly configured.

Future Security Enhancements

  • Tamper-Evident Audit Logs: Tamper-evident audit log channel for skill loading events.
  • Skill Signing/Allowlisting: Skill signing and allowlisting to harden the supply chain for SKILL.md content.