Security audit
Security checks across malware telemetry and agentic risk
This is a transparent workspace-local skill management helper, but autonomous mode can change learned skills without per-change approval.
Install this only if you want a workspace-local system that can create and maintain learned skills. Start in manual mode, review candidate diffs before publishing, avoid letting it capture sensitive project details, and review the optional TrustLoop plugin separately before installing it or enabling autonomous mode.
| Mode | What it does | Best for | | --- | --- | --- | | `manual` | Creates candidates and waits for human approval before publishing | Teams that want maximum control | | `assisted` | Auto-approves low-risk updates but still keeps publishing manual | Teams that want less busywork without giving up review | | `autonomous` | Auto-publishes low-risk patches to `main` and low-risk new skills to `canary` | Teams that want fast iteration with strict low-risk boundaries | Default mode: `manual`.
In `manual`, the draft only becomes a managed skill after approval. In `assisted`, low-risk updates may be auto-approved, but publish still stays manual. In `autonomous`, low-risk patches can publish directly and low-risk new skills can go out as canaries.
- Treat user suggestions as collaboration, not failure. - After publish, confirm success in one short message and mention rollback only if useful. - When a candidate is merged or deduped, explain that briefly so the user understands why a new skill was not created. - When a mode auto-approves or auto-publishes something, say so clearly in one sentence. ## When To Create A Candidate
55/55 vendors flagged this skill as clean.
