Aulafy
Courses/Agents and automation/Secure and auditable skills

Secure and auditable skills

A good skill packages a procedure. A dangerous skill packages excessive permissions, opaque scripts, and network calls that nobody has read.

  • Create small, versionable skills that are easy to review.
  • Audit `SKILL.md`, auxiliary scripts, and permissions before installing.
  • Avoid skills that mix knowledge, execution, and secrets.
TerminalCode
---
name: deploy-preview
description: Crea un deploy preview y resume el resultado.
allowed-tools: Bash(npm run build), Bash(vercel deploy --yes), Bash(git status *)
disable-model-invocation: true
---
1. Comprueba estado de git.
2. Ejecuta build.
3. Crea deploy preview.
4. Devuelve URL, commit y errores si los hay.
5. No hagas deploy a produccion.

Audit checklist

  • Read the entire `SKILL.md`, not just the description.
  • Look for `curl`, `wget`, `nc`, `ssh`, `gh auth token`, `.env`, and external domains.
  • Review `allowed-tools`: avoid `Bash(*)` unless it is local and trusted.
  • Check scripts included in the skill folder.
  • Test first in a clean project, without real credentials.