Skip to content

Documentation · Security

Security model.

Core principles

  • Credentials stay local. Your API keys never pass through Recipes servers. Skills hit third-party APIs directly with your env vars.
  • Skills run locally. Recipes only serves text files. Your agent decides what to execute.
  • Plain-text transparency. No obfuscated code, no hidden payloads. Inspect every line before running.
  • Single-publisher catalog. Every skill is curated and maintained by the WiseChef team. No external submissions, no third-party authors to vet — the catalog's quality is our problem.
  • Architecture-aware install. The runtime probe refuses to install a skill on incompatible hardware (wrong OS, insufficient VRAM, missing CUDA) and suggests an alternative from the graph.

Publish-time review pipeline

  1. Discipline linter (A.7): blocks user-name leaks, curl | bash patterns, hardcoded $HOME paths, internal-infra references, and unallowlisted external promo links at publish time.
  2. Manual curation: every skill is read, tested, and approved by a human reviewer before it lands in the catalog. We are the publisher.
  3. Continuous telemetry: the auto-improve incident network clusters anonymized failure reports across the fleet. Skills with high incident rates get flagged for the patch council and rolled through canary stages with auto-rollback.

Optional sandbox (declared per-skill)

Skills can declare a [sandbox] block in skill.toml with a network allowlist, filesystem write paths, and allowed executable list. When enforced, the sandbox runner uses bubblewrap or firejail (publisher's choice) to isolate the skill's setup and runtime. The host must have at least one available — runtime check at install time.

What Recipes never does

  • Never executes code. We serve text files. Your agent decides what to run.
  • Never has remote access to your machine.
  • Never proxies your third-party API calls.
  • Never serves obfuscated content.

Telemetry & privacy

Anonymous aggregates only by default: install/use/result events with hashed agent class, hashed user ID, duration in seconds, retry count. No payload contents, no credential fingerprints, no inputs/outputs. Operator+ tier can opt into pseudonymous payload sampling to improve their own skills.

Reporting a vulnerability

Email [email protected] with the skill slug, version, and reproduction steps. We respond within 24h. Critical vulns get hotfixed and the skill is taken offline pending review.