A skill usually becomes untrustworthy for a concrete reason: it crosses its declared boundary, opens a theft or egress path, or imports extra supply-chain risk into the environment. The taxonomy exists to make those reasons explicit.
These are usually enough to justify blocking installation outright.
Arbitrary shell, dynamic execution, or download-and-run behavior.
Reading keys, tokens, SSH material, or cloud credentials and exporting them.
Sending local content, environment variables, or conversation data outward.
Trying to expand system privilege or cross a stronger control boundary.
These sharply reduce trust even when they do not always form a full attack chain on their own.
README or SKILL.md promises do not match the real behavior.
External content or docs steer the model into undeclared actions.
Encoding, staged execution, or transformed logic hides the real intent.
These patterns widen the final risk surface and heavily influence the install recommendation.
Unpinned packages, malicious dependencies, remote scripts, or submodule risk.
Mechanisms that continue running after installation or restart.
Reading system files, home directories, browser data, or unrelated private content.
code_execution Critical Once a skill can execute arbitrary commands, installation risk becomes system risk.
credential_theft Critical If it can read and export credentials, trust is usually gone immediately.
data_exfiltration Critical Local data or model context leaving the system is a high-priority block signal.
privilege_escalation Critical Anything that tries to expand privilege should not be installed by default.
doc_deception High When claims and behavior diverge, the report treats it as a trust fracture first.
supply_chain High Dependencies, remote scripts, and version policy can turn a normal-looking skill into a risk entry point.
persistence High It allows the risk to outlive the install action itself.
obfuscation Medium It may not be malicious on its own, but it often exists to hide something worse.
prompt_injection Medium The focus is not the prompt itself, but whether it drives the model beyond the declared boundary.
sensitive_access Medium Reading system and user data beyond task scope materially lowers the chance of allowing it.