AI skill supply chain security
When an AI agent installs a third-party skill or plugin, it is taking on a dependency with the power to act, not just to be read. That makes the catalog of agent skills a supply chain, with the same risks software teams already know from packages: unvetted code, broad permissions, and trust extended by default. The difference is that a skill can take actions, which raises the stakes.
A skill is an active dependency
A library you import runs when you call it. A skill an agent holds can be invoked by the agent's own reasoning, in contexts you did not anticipate, with whatever access it was granted. That combination, autonomous invocation plus real capability, is what makes an unvetted skill more dangerous than an unvetted utility function.
The familiar supply chain risks, amplified
The risks rhyme with package security, with a sharper edge:
- Unknown provenance: who wrote the skill and what it can reach
- Over-broad permissions requested by default
- Capability that persists long after the task that needed it
- Updates that silently widen what the skill can do
- Skills scoped to a task and revoked when it ends
Containment through scope and provenance
You cannot eliminate the risk of third-party skills, but you can contain it. Scope each skill's access to the task that needs it and revoke it after. Prefer skills whose source and reach you can account for. And keep the idle state at zero reach, so a skill is never sitting with standing access it is not currently using.
Treat skills like dependencies that can act. Vet provenance, scope access to the task, and revoke it when the work ends.
How Avorelo helps
Avorelo's task-scoped access model contains skill supply chain risk by construction. Capabilities, including third-party skills, are granted only for the task that needs them and revoked at task end, so nothing holds standing reach. Access is accounted for per task, which keeps an unvetted or over-broad skill from quietly retaining power between runs.