← Back to Daily Builds

Daily build note · May 18, 2026

SkillSafe Registry

A local-first scanner and registry for AI agent skills, MCP servers, repo instructions, and tool permissions that helps teams see what agent capabilities are installed, who approved them...

AI Tools Runnable local MVP built Public demo coming soon

What shipped

SkillSafe Registry is a runnable local MVP for scanning AI agent toolchain files and producing review artifacts. It includes:

  • Python CLI with init, scan, report, ci, demo, and serve commands.
  • Deterministic discovery for SKILL.md, AGENTS.md, MCP configs, .codex, .cursor, .vscode, package manifests, and GitHub workflow files.
  • Rule-based risk extraction for shell, filesystem, network, browser, repo, email, payment, secrets, production, and destructive-action signals.
  • Trust tracking through .skillsafe/allowlist.yml and .skillsafe/denylist.yml.
  • JSON, CSV, and Markdown exports under .skillsafe/out/.
  • CI mode that exits nonzero on blocked or unapproved high/critical findings.
  • Local web UI for browsing the latest registry and saving review decisions.
  • Demo workspace with safe, risky, and blocked fixtures.
  • Unit tests and a smoke script.

Architecture

  • Python 3.11 standard library only, so the MVP runs offline without dependency installation.
  • JSON-compatible .yml policy/config files, avoiding a hard PyYAML dependency while keeping the file names expected by the product brief.
  • One registry item per discovered file, except MCP config files with mcpServers, which become one item per configured MCP server.
  • Path-pattern decisions via allowlist/denylist, so review state survives content changes.
  • Transparent additive scoring instead of model-assisted classification.
  • Server-rendered local UI using http.server, avoiding a frontend build step.

Trimmed scope

  • No hosted service, accounts, team workflow, billing, or cloud sync.
  • No runtime enforcement, sandboxing, quarantine, or auto-remediation.
  • No external API enrichment, GitHub API calls, or model-generated summaries.
  • No deep semantic prompt-injection detection.
  • No broad YAML parser unless optional PyYAML is installed by the user.
  • UI decision edits update policy files; users rerun scan to refresh registry scores.

Limitations

  • Risk detection is pattern-based and will produce false positives and false negatives.
  • Secret values are redacted in evidence snippets, but the scanner still reads local files selected by the user.
  • Source/version/owner extraction is intentionally simple and mostly line-based.
  • MCP tool descriptions are inferred from config text, not live MCP introspection.
  • CI policy is coarse: fail high/critical unknown, needs-review, or blocked findings.
  • The demo scan intentionally fails CI because it includes risky fixtures.

Suggested next steps

  • Add richer YAML support or vendor a tiny parser for more ergonomic policy editing.
  • Add baseline diffing so teams can see what changed since the last scan.
  • Add a skillsafe approve CLI path for non-UI review decisions.
  • Add Git metadata for author, age, and recent changes.
  • Add optional MCP server introspection in a controlled offline mode.
  • Add GitHub Actions template outside the demo fixture.
  • Add report branding for client audit delivery.
  • Add configurable risk weights and organization-specific policy packs.