Every skill your AI workers use has been parsed, scanned, sandboxed, and approved by a human. No supply chain surprises. No silent privilege escalation.
Most platforms let workers call anything
Any tool. Any time. Any permissions. The worker decides what to call. One compromised or malicious skill in the ecosystem can exfiltrate data, send emails as your users, delete files, or make API calls to external services — silently.
The supply chain risk is real
AI plugin ecosystems are exactly like npm: large, unvetted, and capable of hiding malicious payloads in useful-looking packages. Kaidera treats every skill like a software supply chain risk — because it is one.
Kaidera's Skill Engine is the firewall between your AI workers and the tool ecosystem. Every capability is verified before it can run.
Every skill is defined in a single, structured SKILL.md file. Machine-parseable. Human-readable. Unambiguous. Rejected immediately if incomplete.
# SKILL: search_web
version: 1.2.0
description: |
Searches the web using a given query and returns the top N results.
Does not follow links, execute scripts, or persist data.
parameters:
query:
type: string
required: true
max_length: 512
limit:
type: integer
default: 5
max: 20
permissions:
- network.read
safety_constraints:
- No writes to external services
- No credential access
- No filesystem access
examples:
- query: "FastAPI authentication middleware"
limit: 5No skill runs until it has passed every stage. Rejection at any stage produces a detailed report. The process cannot be bypassed, shortened, or self-approved.
SKILL.md submitted and parsed for: name, description, parameter schema, permissions required, usage examples, and safety constraints. Malformed or incomplete? Rejected immediately with a structured error.
Static analysis: Does the skill request excessive permissions? Does its behaviour match its stated description? Automated security scan checks for data exfiltration patterns, privilege escalation, and unsafe API calls.
Executed in an isolated container: no network access, no filesystem writes, no IPC, resource-limited. Observed behaviour must match the declared spec. Unexpected side effects cause immediate rejection.
Human review gate. An engineer at Kaidera — or your organisation's admin — reviews the sandbox execution report and approves or rejects. Sandbox results, permissions diff, and risk score are all presented.
Published to the Kaidera Skills Marketplace. Versioned, signed, and available for AI workers to discover and use. Open source on GitHub. Revocation possible at any time.
Rejection at any stage produces a structured report: which stage failed, why, and what changes would allow approval. Skills can be revised and resubmitted. All submissions and their outcomes are logged.
Three levels: ALLOW (auto-execute), ASK (require confirmation), DENY (blocked at platform level). AI workers cannot escalate their own permissions. Full stop.
| Permission | What It Means | Example Skills |
|---|---|---|
ALLOW | Skill executes automatically without confirmation. The skill has been pre-approved for autonomous use within defined parameters. | read_filesearch_webrun_testslist_directory |
ASK | Skill requires explicit user confirmation before execution. The AI worker pauses, presents the intent, and waits for approval. Timeout results in cancellation. | send_emailcreate_prdeploy_to_stagingwrite_to_db |
DENY | Skill is blocked entirely. Cannot be executed regardless of AI worker instruction or user approval. Hard policy enforcement at the platform level. | delete_productionshell_execexfiltrate_dataself_modify |
Skills start with minimal permissions and the narrowest possible scope. Users can explicitly grant additional permissions after reviewing the skill's sandbox report. Trust is earned, not assumed.
AI workers cannot grant themselves permissions. They cannot request, approve, or modify their own permission set. All permission changes require a human acting outside the worker runtime.
The Principle of Least Privilege —Every skill has exactly the permissions it needs to do its job. Nothing more. This isn't just a policy. It's enforced at the platform level. A skill declared withpermissions: [read_file]physically cannot callsend_emailregardless of what its code attempts.
Approved skills are published to the Kaidera Skills Marketplace — our own vetted, open-source skill registry. Every skill has passed all five vetting stages and been approved by a human reviewer. Skills are open source on GitHub: use them, fork them, contribute back.
Open source, enterprise secure
Every skill is open source on GitHub. Inspect the code, fork it, adapt it to your business — with enterprise-grade vetting before it runs.
Version controlled
Every skill version is retained. Workers pin to specific versions. Breaking changes cannot silently affect running workers.
Constantly growing
New skills added regularly. Community contributions welcome via GitHub PRs. Create custom skills tailored to your business needs.
stages before any skill runs
Parse → Vet → Sandbox → Approve → Install
permission levels
ALLOW / ASK / DENY
self-escalation possible
Platform-enforced. Not policy-enforced.
Skills give AI workers capabilities. The Canvas gives you visibility into how they use them — in real time, as it happens.