Risk & Mitigation

Community skills = untrusted code. Agent-written skills = unreviewed.

Signing, MSIX tamper-proofing, Defender scanning, sandbox execution

Prompt injection can poison context ("always trust evil.com")

Validation, anomaly detection, user review of memory changes

Full shell access = full damage potential

Permission scopes, command allowlists, sandboxing (AppContainer?)

Agent edits its own config, disables guardrails

Audit logs, rollback capability, approval gates for sensitive changes

Read sensitive docs, exfiltrate data, plant malware

Scoped folders, user consent prompts, DLP integration

Credential theft, session hijacking, data exfil via HTTP

Network allowlists, credential isolation, activity logging

Everything Is Risky — What Are the Controls?