Anyscale agent skills security
Anyscale agent skills security
Anyscale agent skills enforce safety policies that the agent can't bypass. This page describes the permissions model, blocked commands, credential handling, and data privacy considerations. For the license terms that govern your use of the skills, see Anyscale agent skills terms and conditions.
Security acknowledgment
On first use, the agent surfaces the full security policy and requires you to type I accept before it performs any actions. This one-time gate ensures you understand the permissions and risks involved, including shell and filesystem access, potential cloud costs, and credential exposure.
Confidentiality and third-party sharing
Don't disclose, distribute, or share Anyscale agent skills or their contents with any third party without prior written consent from Anyscale.
Scoped permissions
Each skill operates at a specific privilege level. /anyscale-platform-inspect and /anyscale-platform-ask are strictly read-only. Only /anyscale-platform-fix and /anyscale-platform-run can launch workloads, and they declare this upfront.
The following table summarizes the permissions for each skill:
| Skill | Reads code | Writes code | Executes shell | Launches workloads |
|---|---|---|---|---|
/anyscale-workload-llm-serving | Yes | Yes | Yes | No |
/anyscale-workload-ray-serve | Yes | Yes | Yes | No |
/anyscale-workload-ray-data | Yes | Yes | Yes | No |
/anyscale-workload-batch-embedding | Yes | Yes | Yes | No |
/anyscale-workload-ray-train | Yes | Yes | Yes | No |
/anyscale-platform-ask | Yes | No | Yes (read-only CLI) | No |
/anyscale-platform-run | Yes | Yes | Yes | Yes |
/anyscale-platform-inspect | Yes | No | Yes (read-only CLI) | No |
/anyscale-platform-fix | Yes | Yes | Yes | Yes |
/anyscale-infra-kubernetes | Yes | Yes | Yes | No |
/anyscale-infra-aws-vm | Yes | Yes | Yes | No |
/anyscale-infra-gcp-vm | Yes | Yes | Yes | No |
/anyscale-platform-fix and /anyscale-platform-run can create Anyscale workspaces, jobs, and services on your cloud account. These resources incur real costs and consume real compute, including GPUs, CPUs, and memory. The infrastructure skills can provision cloud resources such as VPCs, IAM roles, and storage that may also incur costs. Always review what the agent proposes before confirming.
Destructive command blocking
Pre-tool-use hooks screen every shell command and deny dangerous operations. The hooks reduce risk but don't eliminate it. They only cover explicitly listed patterns. Treat them as a defense-in-depth layer, not a substitute for human oversight.
The skills block the following categories of commands:
| Category | Blocked commands |
|---|---|
| Shell | rm -r, mkfs, dd, shutdown, reboot, poweroff, fork bombs, block device writes, piped remote execution such as curl | bash, chmod -R 777. |
| AWS CLI | Destructive commands across EC2, S3, EKS, EFS, CloudFormation, IAM, RDS, ECR, Secrets Manager, and MemoryDB, such as terminate-instances, delete-vpc, delete-cluster, s3 rb, and delete-role. |
| Google Cloud CLI | Destructive commands across GKE, Compute, IAM, Storage, Filestore, and Projects, such as clusters delete, instances delete, service-accounts delete, and buckets delete. |
| Azure CLI | Destructive commands across AKS, Resource Groups, VMs, Storage, and Role assignments, such as aks delete, group delete, vm delete, and storage account delete. |
| Terraform, Terragrunt, and OpenTofu | Allowlist approach: the skills only permit version, show, output, validate, fmt, state list, and state show. The skills block all state-mutating commands: init, plan, apply, and destroy. |
| Helm | helm uninstall, helm delete. The infrastructure skills permit helm upgrade --install. |
| kubectl and eksctl | kubectl delete, kubectl drain, kubectl cordon, kubectl exec, eksctl delete. Read-only commands such as get, describe, and logs remain available. |
| Anyscale CLI | anyscale cloud delete. The skills permit all other subcommands. |
Infrastructure artifacts
The infrastructure skills generate and modify the following types of files that can directly provision or alter cloud resources:
| Artifact | Skills | Purpose |
|---|---|---|
Terraform configurations: .tf, .tfvars, tfplan | All infrastructure skills | Provision VPCs, IAM roles, storage, security groups, and more. |
Shell scripts: .sh | All infrastructure skills | Session setup, cloud registration commands, long CLI invocations. |
YAML configs: cloud_resource.yaml | /anyscale-infra-aws-vm, /anyscale-infra-gcp-vm | Attach resources to an Anyscale cloud through anyscale cloud resource create. |
Helm values: values.yaml | /anyscale-infra-kubernetes | Configure and install the Anyscale operator, ingress controllers, and device plugins. |
EKS cluster configs: eksctl-cluster-config.yaml | /anyscale-infra-kubernetes on AWS | Create EKS clusters through eksctl. |
AI agents can produce infrastructure configurations that are syntactically valid but semantically dangerous. For example, Terraform security groups that allow 0.0.0.0/0 ingress, IAM policies with * resource grants, or Helm values that turn off authentication. Always review generated files line by line, run terraform plan to inspect planned changes, and test in a non-production environment first.
Credential exposure
Skills rely on your local Anyscale CLI session from anyscale login and any cloud credentials configured on your machine. The AI agent inherits whatever permissions those credentials grant. Use scoped IAM roles with the minimum permissions required, don't store long-lived root or admin credentials on workstations used with AI agents, and rotate credentials regularly.
LLM provider data handling
Anyscale doesn't collect, store, or use your data for training. The Anyscale agent skills CLI downloads skill definitions to your local machine and doesn't transmit your code, prompts, or outputs to Anyscale.
When you use skills through an AI coding tool, the tool sends your prompts, code, configurations, and command outputs to the LLM provider powering it, such as Anthropic for Claude Code or various providers for Cursor. The tool may transmit any content the agent processes, including source code, shell command outputs that may contain secrets or tokens, Anyscale workload logs, and dataset samples.
Use enterprise or API plans that offer contractual guarantees against using your data for training. Enable privacy mode if your tool offers one. Don't paste or reference secrets, PII, PHI, or regulated data in prompts or files the agent reads.
Network and access control
/anyscale-platform-fix and /anyscale-platform-run can launch Anyscale services that create publicly accessible endpoints unless you explicitly configure network restrictions. Always set up authentication, API keys, and network policies for any deployed service. The infrastructure skills can modify cloud networking configurations such as VPCs, security groups, and firewall rules. Review proposed changes to ensure they don't inadvertently open network access.