0003 — Skills run in the agent's runtime, no sandbox

• Date: 2026-04-30
• Status: Accepted

Context

skills.sh skills can include MCP servers, scripts, instructions. We could (a) run them inside the agent's runtime and inherit its isolation, or (b) interpose our own sandbox layer.

Decision

Option (a). Skills execute inside whichever runtime the agent is on. Cloud → Cursor VM. Local → the user's machine. Pool → the pool node. We do not build a per-skill sandbox.

Alternatives considered

• Per-skill VM. Strong isolation, big infra cost, slow startup. Not justifiable for v1 when most users will install skills they wrote or vetted.
• Capability-scoped tool restrictions. Useful but not the same thing. We can layer this on later via Cursor hooks; doesn't replace a real sandbox.

Consequences

• The product cannot promise it's safe to install untrusted public skills. UI must reflect this; docs must state it.
• If we ever build a public skill marketplace inside Clip, this decision needs revisiting — recommending skills changes the threat model.
• Pool operators are responsible for whatever isolation they provide on their pool nodes.