安装社区 Skill 前做 5 点安全审查

• You can inspect skill files before installation and control runtime permissions.
• You have a staging environment for first-run validation.

1. Check source trust: publisher history, repo age, commit activity, and issue discussions.
2. Review requested permissions/secrets and reject skills asking for broad unnecessary scopes.
3. Audit install/run scripts for suspicious downloads, shell execution, credential/file exfil patterns.
4. Run in staging with fake credentials and outbound monitoring before production enablement.
5. Prepare rollback: disable skill, revoke tokens, and rotate any potentially exposed secrets.

• The Reddit post cites third-party audit statistics; dataset and methodology should be independently verified（需验证）.
• Even reviewed skills can become risky after updates; re-audit on every major version.

This tip is aggregated from community/public sources and preserved with attribution.