A comprehensive collection of security-focused skills for LLM agents interacting with shell environments. These skills implement a defense-in-depth strategy across six security layers, protecting against prompt injection, malicious commands, and unsafe operations.
When LLM agents execute shell commands, they face unique security challenges. This repository provides a structured approach to securing agent-shell interactions through layered security controls.
┌─────────────────────────────────────────┐
│ Layer 1: Prompt Injection Defense │ ← Input validation
├─────────────────────────────────────────┤
│ Layer 2: Command Validation │ ← Whitelist & syntax checks
├─────────────────────────────────────────┤
│ Layer 3: Path Sandboxing │ ← Filesystem isolation
├─────────────────────────────────────────┤
│ Layer 4: Network Trust Verification │ ← URL & checksum validation
├─────────────────────────────────────────┤
│ Layer 5: Malware Protection │ ← Virus scanning
├─────────────────────────────────────────┤
│ Layer 6: Audit Logging │ ← Complete traceability
└─────────────────────────────────────────┘
The repository contains seven core skills:
- security-01-prompt-defense.md - Detects and prevents prompt injection attacks
- security-02-command-validation.md - Validates commands against whitelist and security policies
- security-03-path-sandbox.md - Enforces filesystem boundaries and path restrictions
- security-04-network-trust.md - Verifies URLs, checksums, and download sources
- security-05-malware-scan.md - Scans files for malware and suspicious patterns
- security-06-audit-log.md - Maintains complete audit trail of all operations
- security-apply.md - Orchestrates all security layers (main entry point)
Add these skills to your LLM agent's skill directory:
# Clone the repository
git clone https://github.com/roebi/agent-security-skills.git
# Copy skills to your agent's skill directory
cp agent-security-skills/skills/*.md /path/to/your/agent/skills/
cp agent-security-skills/policies/*.yml /path/to/your/agent/policies/The security-apply.md skill should be triggered before ANY shell command execution:
User Request → security-apply.md → All 6 layers check → Execute or Deny
These skills implement the principle of Sorgfaltspflicht - the duty of care. Before executing any command, the agent must:
- ✓ Understand what the command does
- ✓ Verify it matches user's actual intent
- ✓ Assess potential risks
- ✓ Obtain appropriate confirmations
- ✓ Ensure reversibility where possible
See the examples directory for:
- Safe download workflows
- Command execution patterns
- Prompt injection test cases
- Security policy configurations
Security policies are defined in YAML files under policies:
- command-whitelist.yml - Approved commands and their risk levels
- trusted-domains.yml - Verified download sources
- security-config.yml - Global security settings
Contributions are welcome! Please ensure:
- New skills follow the naming pattern:
security-XX-skillname.md - All cross-references are accurate
- Examples demonstrate both safe and unsafe scenarios
- Documentation is clear and comprehensive
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
These skills are designed to work with:
- LLM agents with shell/bash tool access
- Systems supporting standard Linux commands
- Environments with ClamAV or similar malware scanners
- Logging frameworks that support structured output
While these skills significantly improve security, they are not foolproof:
- Always run agents in isolated environments
- Regularly update malware definitions
- Review audit logs periodically
- Keep security policies current
- Consider using additional sandboxing (containers, VMs, LiteBox)
- agent-skills - General purpose agent skills
- Microsoft LiteBox - Security-focused library OS for additional isolation
For questions, issues, or suggestions, please open an issue on GitHub.
Created by: @roebi
Version: 1.0.0
Last Updated: March 2026