Security

Security-first by design.

SkillHub treats security as a core operating principle, not an afterthought. Every skill is reviewed, every runtime call is governed, and every secret stays protected.

Report an issue Check status

Principles

How we protect the platform

Permission review

Every skill declares required permissions. High-risk permissions (filesystem, network, secrets) trigger mandatory human review before public listing.

Runtime governance

Project-scoped API keys, per-call audit trails, rate limiting, and budget enforcement. No anonymous invocations reach production runtimes.

Secret isolation

OAuth secrets, API tokens, and private keys never appear in public manifests, logs, or error responses. Runtime secrets are injected at execution, not stored in contracts.

Incident response

Critical vulnerabilities trigger immediate suspension. Affected developers receive automated notifications with mitigation guidance.

Responsible disclosure

Report security issues without exposing secrets.

Use the public support path to request a secure disclosure channel during Launch Preview. Do not put sensitive data into public reports.

What to include

✓Affected public URL or skill slug
✓Impact summary and severity estimate
✓Reproduction steps (without real secrets)
✓Your preferred secure contact method

What not to include

✗OAuth secrets or API tokens
✗Passwords or private keys
✗Customer data or PII
✗Exploit payloads or proof-of-concept code

security-report.md

## Security Report

affected: /skills/browser-research

severity: medium

type: permission-escalation

description:

Skill declares read-only in manifest,

but runtime attempts filesystem writes.

contact: researcher@example.com

---

# No real tokens or secrets included

Response timeline

What happens after you report

Acknowledgment

We confirm receipt within 24 hours and provide a secure channel if needed.

< 24h

Triage

The security team assesses severity, scope, and affected systems.

24–72h

Mitigation

Critical issues receive immediate action. Non-critical issues enter the sprint queue.

1–7 days

Resolution

Fix deployed, affected parties notified, and public advisory published if appropriate.

Varies

Current posture

Platform security status

Active

Skill review

All submitted skills undergo automated + human review

Active

Runtime isolation

Per-project key scoping, rate limits, and audit logging

Active

Secret handling

Zero secrets in public surfaces, encrypted at rest

Active

Incident pipeline

Monitoring, alerting, and automated suspension triggers

Need help with something else?

Explore the Skill API or read Docs & Guides to learn more about the platform.

Explore Skill API Docs & Guides