Skip to content
LoopSkill

Documentation · Security

Security model.

Core principles

  • Credentials stay local. Your API keys never pass through LoopSkill servers. Skills hit third-party APIs directly with your env vars.
  • Skills run locally. LoopSkill only serves text files. Your agent decides what to execute.
  • Plain-text transparency. No obfuscated code, no hidden payloads. Inspect every line before running — it's just Markdown.
  • Signed tarballs. Every skill tarball is signed with an ed25519 key at publish time. The meta-skill verifies the signature before writing any file to disk. A corrupted or tampered tarball is rejected before extraction.
  • Architecture-aware install. The runtime probe refuses to install on incompatible hardware (wrong OS, insufficient VRAM, missing CUDA) and suggests an alternative from the graph.

Authentication model

All API requests authenticate via the x-api-key header. Four key prefixes map to four auth scopes:

Prefix Scope Issued by
rec_ Standard API key — catalog access + installs up to your tier limit Dashboard → API Keys
cbt_ Bundle-scoped token — read-only access to a specific bundle's skills recipes share create CLI or share_token MCP tool
rec_fleet_ Fleet key — bundle-scoped, multi-agent, Operator+ tier required Dashboard → Fleet → New fleet key
Bearer JWT Browser session — dashboard + OAuth flows only, not for agent use GitHub OAuth callback

The APIKeyMiddleware validates every request before it reaches a route handler. Invalid keys return 401. Tier-gated resources return 403 with a upgrade_url field in the response body.

Tier gating

Skills are gated by tier. The tier hierarchy (lowest to highest) is:

  1. free — available to all API key holders, including free-tier accounts
  2. cook — requires Pro subscription ($20/mo)
  3. operator — requires Pro+ subscription ($100/mo)
  4. pro_plus — Pro+ features: pre-built bundle push, fleet keys

The GET /api/skills/access endpoint provides a pre-flight check: pass a slug and your key and it returns {"access": true} or {"access": false, "reason": "tier_required", "required_tier": "cook"}. The meta-skill calls this before attempting an install.

Signed tarballs & ed25519 verification

When you install a skill, the install endpoint returns a signed tarball URL and a per-file manifest. The manifest includes:

  • A list of files with their sha256 checksums
  • An ed25519 signature over the manifest JSON (signed with the WiseChef publish key)
  • The public key fingerprint (so you can verify against the published key)

The meta-skill verifies the signature before extracting any file. If the signature is invalid or the manifest checksum doesn't match the downloaded bytes, the install aborts and no files are written.

The WiseChef signing public key is published at https://recipes.wisechef.ai/api/signing-key and pinned in the meta-skill.

Publish-time review pipeline

Every skill passes through the following gates before appearing in the catalog:

  1. Discipline linter (A.7): blocks user-name leaks, curl | bash patterns, hardcoded $HOME paths, internal-infra references, and unallowlisted external promo links.
  2. Tarball scan: checks for binary executables, symlink attacks, and path traversal (../ in filenames). Rejects any tarball that fails.
  3. Manual review: every skill is read, tested, and approved by a human reviewer before it lands in the catalog. We are the publisher.
  4. ed25519 signing: approved tarballs are signed with the WiseChef publish key and stored in the CDN. The signature is immutable — patching a skill requires a full re-publish and re-signing.

Community-submitted skills (via recipes_publish_request MCP tool) follow the same pipeline plus a GitHub issue review step. See Publishing.

Optional sandbox (declared per-skill)

Skills can declare a [sandbox] block in their skill.toml with a network allowlist, filesystem write paths, and an allowed executable list. When enforced, the sandbox runner uses bubblewrap or firejail (publisher's choice) to isolate the skill's setup and runtime. The host must have at least one sandbox backend available — the runtime check happens at install time, not at run time.

What LoopSkill never does

  • Never executes code. We serve text files. Your agent decides what to run.
  • Never has remote access to your machine.
  • Never proxies your third-party API calls.
  • Never serves obfuscated content.
  • Never logs your inputs, outputs, or credentials.

Telemetry & privacy

Anonymous aggregates only by default: install/use/result events with hashed agent class, hashed user ID, duration in seconds, retry count. No payload contents, no credential fingerprints, no inputs or outputs. Operator+ tier can opt into pseudonymous payload sampling to improve their own skills — this requires explicit opt-in per cookbook.

To opt out entirely:

export RECIPES_TELEMETRY=off

Reporting a vulnerability

Email security@wisechef.ai with the skill slug, version, and reproduction steps. We triage all security reports. Critical vulns get a hotfix and the skill is taken offline pending review.