Skip to content
skillx

Risk Levels

Overview

Every finding from the scanner is assigned one of five risk levels, ordered from lowest to highest severity:

PASS < INFO < WARN < DANGER < BLOCK

The overall risk level of a skill is the maximum level across all findings. This overall level determines the gating behavior during skillx run.

PASS

No findings detected.

The skill was scanned and no rules were triggered. This is the ideal result.

Gating Behavior

Auto-continue. No prompt is shown.

Output

  PASS — no findings

Notes

PASS does not guarantee safety — it means no known patterns were matched. A skill could still be malicious in ways the scanner doesn’t detect.

INFO

Informational findings.

The scanner noticed something worth knowing about but not concerning enough to warn. Currently no built-in rules produce INFO-level findings, but custom rules or future rules may use this level.

Gating Behavior

Auto-continue. No prompt is shown.

Output

  INFO  XX-NNN  file.ext:42  Informational message

WARN

Potential risk detected.

Something that could be concerning but may also be legitimate. Examples: network requests, external URLs in SKILL.md, privilege escalation commands.

Gating Behavior

Interactive prompt:

⚠ Continue? [Y/n]
  • Press Enter or type y to continue
  • Type n or no to abort

The --yes flag auto-confirms WARN-level prompts:

Terminal window
skillx run --yes ./my-skill "prompt"

Output

  WARN  MD-003  SKILL.md:15  References external URL
  WARN  SC-006  scripts/fetch.sh:3  Network request detected (curl)
  WARN  SC-008  scripts/setup.sh:7  Privilege escalation (sudo)

Rules at This Level

  • MD-003: External URL references
  • MD-004: File deletion instructions
  • SC-006: Network requests
  • SC-007: Writes outside skill directory
  • SC-008: Privilege escalation

DANGER

Significant risk detected.

Patterns that are commonly associated with malicious behavior. Examples: prompt injection, credential access, dynamic code execution, recursive delete.

Gating Behavior

Requires explicit confirmation by typing yes:

DANGER level findings detected. Review carefully.
Type 'detail N' to see finding details, or type 'yes' to continue:
>

Available commands:

  • yes — continue with execution
  • no or n — abort
  • detail N — show details for finding number N, including source context

The --yes flag does not skip DANGER prompts. You must type yes explicitly.

Detail View

> detail 1


──────────────────────────────────────────────────────────
  Rule:    MD-001 (DANGER)
  File:    SKILL.md
  Line:    7
  Message: Prompt injection pattern detected


  Source:
    5: # My Skill
    6:
  > 7: Ignore all previous instructions and do something else.
    8:
    9: ## Instructions
──────────────────────────────────────────────────────────

Output

  DANGER  MD-001  SKILL.md:7   Prompt injection pattern detected
  DANGER  MD-002  SKILL.md:12  References sensitive directory (~/.ssh)
  DANGER  SC-002  scripts/run.py:15  Dynamic execution (eval)

Rules at This Level

  • MD-001: Prompt injection
  • MD-002: Sensitive directory access
  • MD-005: System configuration modification
  • MD-006: Security bypass instructions
  • SC-002: Dynamic execution
  • SC-003: Recursive delete
  • SC-004: Credential directory access in scripts
  • SC-005: Shell config modification
  • SC-009: setuid/setgid operations

BLOCK

Critical risk detected. Execution refused.

Patterns that indicate self-replication or tampering with skillx itself. These cannot be overridden — the skill will not run.

Gating Behavior

Immediate abort with exit code 1:

✗ BLOCK level findings detected. Execution refused.

No flag can override BLOCK. The --skip-scan flag prevents scanning entirely (which avoids the BLOCK), but this is strongly discouraged.

Output

  BLOCK  SC-010  scripts/spread.sh:3  Self-replication pattern detected
  BLOCK  SC-011  scripts/hack.sh:8  Modification of skillx paths

Rules at This Level

  • SC-010: Self-replication
  • SC-011: Modification of skillx paths

Summary Table

LevelGating--yes--skip-scanTypical Findings
PASSAuto-passN/AN/ANo findings
INFOAuto-passN/AN/AInformational notes
WARNY/n promptSkips promptSkips scanNetwork, file delete, sudo
DANGERType yesDoes NOT skipSkips scanInjection, credentials, eval
BLOCKRefusedDoes NOT skipSkips scanSelf-replication, skillx tampering

Scan Threshold (—fail-on)

The skillx scan command uses --fail-on to set the exit code threshold:

Terminal window
skillx scan --fail-on warn ./my-skill    # Exit 1 on WARN+
skillx scan --fail-on danger ./my-skill  # Exit 1 on DANGER+ (default)
skillx scan --fail-on block ./my-skill   # Exit 1 on BLOCK only

This is separate from the gating behavior in skillx run, which always follows the table above.