⊞
Security & Quality
policy
Define and enforce organizational rules for which skills are allowed, what they must contain, and where they can come from. Policy-as-code via a .skill-policy.yml file that lives in your repo.
Why it matters
In team and enterprise environments, you need guardrails: only skills from approved sources, mandatory security disclaimers, banned patterns, freshness requirements. Policy turns these rules into automated checks that run in CI.
What it does
- Source allow/deny lists with glob matching (e.g., allow only npm:@your-org/*)
- Required skills verification — ensure critical skills are always present
- Banned skills — block known-bad or deprecated skills
- Metadata requirements — enforce specific frontmatter fields and allowed licenses
- Content deny/require patterns — flag or require specific content with line numbers
- Freshness limits — max version drift and max age in days
- Audit integration — require clean audit results as part of policy
Usage
npx skills-check policy <subcommand> [options]Options
| Flag | Description |
|---|---|
--policy <path> | Path to .skill-policy.yml |
--fail-on <severity> | Threshold: blocked, violation, or warning |
--ci | CI mode with strict exit codes |
-f, --format <type> | Output: terminal or json |
Examples
Check against policy
npx skills-check policy checkInitialize default policy
npx skills-check policy initValidate policy file
npx skills-check policy validateCI gate
npx skills-check policy check --ci --fail-on violationWhen to use this
- When onboarding teams to agent skills
- To enforce org-wide quality standards
- In CI to gate skill changes
Related commands
Common findings
- Untrusted source — skill from non-allowed origin
- Banned pattern — prohibited content detected
- Stale skill — exceeds freshness limit
CI tip
Commit .skill-policy.yml to your repo root. Policy discovery walks up directories, so monorepo subdirectories inherit the root policy automatically.