Add a capability-based security model for community skills, inspired by
how mobile and Apple ecosystem apps declare capabilities upfront. This is
not a silver bullet for prompt injection, but it's a significant step up
from the status quo and encourages responsible developer practices by
making capability requirements explicit and visible.
Runtime enforcement for community skills installed from ClawHub:
- Capability declarations (shell, filesystem, network, browser, sessions)
parsed from SKILL.md frontmatter and enforced at tool-call time
- Static SKILL.md scanner detecting prompt injection patterns, suspicious
constructs, and capability mismatches
- Global skill security context tracking loaded community skills and
their aggregate capabilities
- Before-tool-call enforcement gate blocking undeclared tool usage
- Command-dispatch capability check preventing shell/filesystem access
without explicit declaration
- Trust tier classification (builtin/community/local) — only community
skills are subject to enforcement
- System prompt trust context warning for skills with scan warnings or
missing capability declarations
- CLI: `skills list -v`, `skills info`, `skills check` now surface
capabilities, scan results, and security status
- TUI security log panel for skill enforcement events
- Docs updated across 7 files covering the full security model
Companion PR: openclaw/clawhub (capability visibility + UI badges)
b3c52c4145