Security Model

Killer-Skills runs locally on your machine. This means valid skills have the same permissions as your user account.

Best Practices

• Review Instructions - Always read the SKILL.md before installing or running a new skill, especially from untrusted sources.
• Sandboxing - For high-risk tasks, consider running skills within a containerized environment (e.g., Docker) or a restricted shell.
• API Keys - Never commit API keys to SKILL.md. Use environment variables instead.
• Audit - Regularly audit installed skills using killer-skills list.

Reporting Vulnerabilities

If you find a security vulnerability in a skill or the CLI itself, please report it to security@killer-skills.com.