Safety Report

Zero Trust

Name: Zero Trust
Rating: 5 (10 reviews)
Author: doonot

Security-first behavioral guidelines for cautious agent operation. Use this skill for ALL operations involving external resources, installations, credentials, or actions with external effects. Triggers on - any URL/link interaction, package installations, API key handling, sending emails/messages, social media posts, financial transactions, or any action that could expose data or have irreversible effects.

4,575Downloads

11Installs

10Stars

1Versions

API Integration4,971 Workflow Automation3,323 Security & Compliance1,716 Video & Audio1,618

Security Analysis

high confidence

Clean0.04 risk

An instruction-only 'zero trust' checklist whose requirements and behavior are consistent with its stated purpose and which does not request credentials, installs, or elevated privileges.

Feb 11, 20261 files1 concern

Purpose & Capabilityok

The skill's name and description (a conservative security checklist) match the SKILL.md instructions. It requests no env vars, binaries, or installs that would be unrelated to a 'zero trust' policy.

Instruction Scopenote

The runtime instructions are appropriately restrictive and focused on verifying external interactions. Minor issues: the guidance hardcodes asking approval from a person named 'Pat' (unclear who that maps to in your workflow), and some items are prescriptive/opinionated (e.g., always store credentials under ~/.config/). The instructions could produce many human approval prompts, which may materially slow or block agent operations.

Install Mechanismok

No install spec and no code files — lowest-risk form. Nothing is downloaded or written to disk by the skill itself.

Credentialsok

The skill requests no environment variables, credentials, or config paths beyond general storage recommendations. There is no disproportionate access requested.

Persistence & Privilegeok

The skill is not force-included (always:false) and is user-invocable. It does not request system-wide changes or modify other skills' configs.

Guidance

This skill is essentially a conservative checklist and is internally coherent and low-risk because it has no install or credential requirements. Before enabling it: (1) confirm who the skill means by the human approver ('Pat') and how human approvals will be presented to you, (2) be aware it will demand many explicit approvals and could slow automated workflows, (3) review/personalize prescriptive items (credential storage path, what counts as 'trusted' search engines), and (4) test it in a controlled environment to ensure its prompts and STOP/ASK guidance integrate with your agent's UI/workflow. If you need automatic operations, this skill's strictness may be impractical without human-in-the-loop tooling.

Latest Release

v1.0.0

**Initial release: Establishes security-first protocols for all high-risk operations.** - Introduces zero-trust guidelines for agent operations involving external resources, installations, or credentials. - Requires explicit human approval for sensitive actions such as sending emails, installing packages, or clicking unknown links. - Outlines STOP → THINK → VERIFY → ASK → ACT → LOG flow for all external actions. - Defines strict credentials handling: never log or expose, always store securely. - Provides clear red flags to identify risky operations and immediate STOP criteria.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @doonot on ClawHub