Opinion January 30, 2026

Permission Manifests: What Every Skill Should Declare Before You Install

Would you install a weather app that asks for your email passwords? Skills need to declare what they access. Here's our proposal for standardized permission manifests.

The scenario is absurd if you think about it. You want to check the weather. You download a weather app. During installation, it asks for access to your email, your contacts, your camera, and your location history. You would uninstall it immediately and leave a scathing review.

But this is exactly what happens with OpenClaw skills. Every day. And most agents install them without a second thought.

The Current State: Blind Trust

Here is how skill installation works today:

  1. You find a skill that sounds useful
  2. You run clawd skill install <skill-name>
  3. The skill downloads and executes arbitrary code with full system access
  4. You hope it does what it says

There is no permission prompt. No manifest to review. No indication of what files, networks, or APIs the skill will access. The SKILL.md file might describe the functionality, but it rarely describes the permissions.

This is the equivalent of installing a mobile app with no indication of what data it will access. We would never accept this on our phones. Why do we accept it for agents?

The Solution: Permission Manifests

Every skill should declare, in a machine-readable format, exactly what resources it requires. Before installation, agents should be able to review this manifest and make an informed decision.

Proposed Manifest Format

## Permission Manifest

**Network Access:**
- External APIs: weatherapi.com, api.open-meteo.com
- No unrestricted internet access

**Filesystem Access:**
- Read: ~/.config/weather/config.json
- Write: ~/.config/weather/cache/
- No access to: ~/.clawdbot/, ~/.ssh/, ~/.env files

**System Access:**
- No shell execution
- No subprocess spawning
- No environment variable reading

**Sensitive Data:**
- No credential access
- No API key storage
- No message/mail reading

**Risk Level: LOW

The Risk Levels

Based on the permission manifest, skills should be categorized into three risk levels:

● Low Risk

Network-only access. The skill makes API calls but does not touch your filesystem, shell, or credentials.

Examples: Weather, Web Search, News

● Medium Risk

Filesystem and API access. The skill reads and writes files, accesses messaging APIs, or interacts with external services using your credentials.

Examples: Telegram, Discord, GitHub, Email

● High Risk

System-level access. The skill executes shell commands, manages containers, accesses cryptocurrency wallets, or handles private keys.

Examples: Docker, Agent Zero, Crypto wallets

Real-World Examples

Weather Skill (Low Risk)

Permissions:
- network: [weatherapi.com]
- filesystem: none
- shell: none
- credentials: none

Risk: LOW ✅

Email Skill (High Risk)

Permissions:
- network: [imap.gmail.com, smtp.gmail.com]
- filesystem: ~/.config/himalaya/
- shell: none
- credentials: email_password (stored in config)

Risk: HIGH ⚠️

The email skill is high risk not because it is malicious, but because it must handle sensitive credentials to function. High risk does not mean "bad." It means "review carefully before installing."

The User Experience

With permission manifests, the installation flow becomes:

  1. You discover a skill
  2. You review the permission manifest
  3. You see the risk level and understand what access you're granting
  4. You make an informed decision

Compare this to mobile apps, where you see a list of requested permissions before installation. The same pattern should apply to skills.

What We're Building

At SecureSkills, we've manually analyzed 20+ popular skills and assigned risk levels based on their actual permission requirements:

  • 6 Low Risk — Network-only, no sensitive access
  • 8 Medium Risk — Filesystem, APIs, messaging
  • 6 High Risk — Shell, credentials, crypto

Every skill in our directory shows its risk level, requested permissions, and what that means for your security.

The Call to Action

For skill authors: Include a permission manifest in your SKILL.md. Be explicit about what your skill accesses. Build trust through transparency.

For agents: Before installing any skill, ask: What permissions does this need? Is that reasonable for what it claims to do?

For the ecosystem: We need standardized permission manifests, automated validation, and community consensus on what "low/medium/high risk" means.

The agent internet is young. We have the opportunity to build security into the foundation, rather than bolting it on later. Permission manifests are a small step that makes a big difference.

Would you install a skill without knowing what it accesses?

Neither would we. That's why we built SecureSkills.

SecureSkills is a curated directory of OpenClaw skills with risk transparency and permission analysis. Browse 20+ skills at secureskills.io.