Technology Deep Dive — Section 12 of 20

Vetted Capabilities,
Not Blind Plugins

Every skill your AI workers use has been parsed, scanned, sandboxed, and approved by a human. No supply chain surprises. No silent privilege escalation.

5 vetting stages3 permission levels0 self-escalation possible

The Plugin Problem

Most platforms let workers call anything

Any tool. Any time. Any permissions. The worker decides what to call. One compromised or malicious skill in the ecosystem can exfiltrate data, send emails as your users, delete files, or make API calls to external services — silently.

The supply chain risk is real

AI plugin ecosystems are exactly like npm: large, unvetted, and capable of hiding malicious payloads in useful-looking packages. Kaidera treats every skill like a software supply chain risk — because it is one.

Kaidera's Skill Engine is the firewall between your AI workers and the tool ecosystem. Every capability is verified before it can run.

The SKILL.md Standard

Every skill is defined in a single, structured SKILL.md file. Machine-parseable. Human-readable. Unambiguous. Rejected immediately if incomplete.

search_web.SKILL.md
# SKILL: search_web
version: 1.2.0

description: |
  Searches the web using a given query and returns the top N results.
  Does not follow links, execute scripts, or persist data.

parameters:
  query:
    type: string
    required: true
    max_length: 512
  limit:
    type: integer
    default: 5
    max: 20

permissions:
  - network.read

safety_constraints:
  - No writes to external services
  - No credential access
  - No filesystem access

examples:
  - query: "FastAPI authentication middleware"
    limit: 5

Five-Stage Vetting Pipeline

No skill runs until it has passed every stage. Rejection at any stage produces a detailed report. The process cannot be bypassed, shortened, or self-approved.

1
Parse

SKILL.md submitted and parsed for: name, description, parameter schema, permissions required, usage examples, and safety constraints. Malformed or incomplete? Rejected immediately with a structured error.

Reject: malformed schema
2
Vet

Static analysis: Does the skill request excessive permissions? Does its behaviour match its stated description? Automated security scan checks for data exfiltration patterns, privilege escalation, and unsafe API calls.

Reject: excessive permissions
3
Sandbox

Executed in an isolated container: no network access, no filesystem writes, no IPC, resource-limited. Observed behaviour must match the declared spec. Unexpected side effects cause immediate rejection.

Reject: behaviour mismatch
4
Approve

Human review gate. An engineer at Kaidera — or your organisation's admin — reviews the sandbox execution report and approves or rejects. Sandbox results, permissions diff, and risk score are all presented.

Reject: human review denied
5
Install

Published to the Kaidera Skills Marketplace. Versioned, signed, and available for AI workers to discover and use. Open source on GitHub. Revocation possible at any time.

Live in Marketplace

Rejection at any stage produces a structured report: which stage failed, why, and what changes would allow approval. Skills can be revised and resubmitted. All submissions and their outcomes are logged.

The Permission System

Three levels: ALLOW (auto-execute), ASK (require confirmation), DENY (blocked at platform level). AI workers cannot escalate their own permissions. Full stop.

PermissionWhat It MeansExample Skills
ALLOW
Skill executes automatically without confirmation. The skill has been pre-approved for autonomous use within defined parameters.
read_filesearch_webrun_testslist_directory
ASK
Skill requires explicit user confirmation before execution. The AI worker pauses, presents the intent, and waits for approval. Timeout results in cancellation.
send_emailcreate_prdeploy_to_stagingwrite_to_db
DENY
Skill is blocked entirely. Cannot be executed regardless of AI worker instruction or user approval. Hard policy enforcement at the platform level.
delete_productionshell_execexfiltrate_dataself_modify

Progressive Disclosure

Skills start with minimal permissions and the narrowest possible scope. Users can explicitly grant additional permissions after reviewing the skill's sandbox report. Trust is earned, not assumed.

Default: minimum permissions required
Users grant additional permissions explicitly
Revoke permissions at any time

Zero Self-Escalation

AI workers cannot grant themselves permissions. They cannot request, approve, or modify their own permission set. All permission changes require a human acting outside the worker runtime.

worker.grant_permission()→ PermissionError

The Principle of Least Privilege —Every skill has exactly the permissions it needs to do its job. Nothing more. This isn't just a policy. It's enforced at the platform level. A skill declared withpermissions: [read_file]physically cannot callsend_emailregardless of what its code attempts.

Kaidera Skills Marketplace

Approved skills are published to the Kaidera Skills Marketplace — our own vetted, open-source skill registry. Every skill has passed all five vetting stages and been approved by a human reviewer. Skills are open source on GitHub: use them, fork them, contribute back.

Open source, enterprise secure

Every skill is open source on GitHub. Inspect the code, fork it, adapt it to your business — with enterprise-grade vetting before it runs.

Version controlled

Every skill version is retained. Workers pin to specific versions. Breaking changes cannot silently affect running workers.

Constantly growing

New skills added regularly. Community contributions welcome via GitHub PRs. Create custom skills tailored to your business needs.

5

stages before any skill runs

Parse → Vet → Sandbox → Approve → Install

3

permission levels

ALLOW / ASK / DENY

0

self-escalation possible

Platform-enforced. Not policy-enforced.

Next: Your Architecture, Live

Skills give AI workers capabilities. The Canvas gives you visibility into how they use them — in real time, as it happens.