Security
Trust Policies
Section titled “Trust Policies”The [trust] section in agents.toml controls which skill sources are allowed.
Trust is validated before any network operations in add and install. If a
source does not match the policy, the command fails immediately.
No Trust Section (default)
Section titled “No Trust Section (default)”When [trust] is absent, all sources are allowed. This is the default for
backward compatibility.
# No [trust] section -- all sources allowedversion = 1agents = ["claude"]
[[skills]]name = "any-skill"source = "anyone/any-repo"Allowlist Mode
Section titled “Allowlist Mode”Add a [trust] section to restrict sources to an allowlist. A source passes if
it matches any rule.
[trust]github_orgs = ["getsentry", "my-company"]github_repos = ["external-org/one-approved-repo"]git_domains = ["git.corp.example.com"]| Field | Matches | Example |
|---|---|---|
github_orgs | GitHub sources where the owner matches | "getsentry" matches getsentry/skills, getsentry/warden |
github_repos | Exact owner/repo match | "external-org/one-approved-repo" |
git_domains | Domain extracted from git: URLs | "git.corp.example.com" matches git:https://git.corp.example.com/team/repo |
Local path: sources are always allowed regardless of trust configuration.
You can also manage trusted sources from the CLI instead of editing TOML directly:
dotagents trust add getsentry # trust a GitHub orgdotagents trust add external-org/specific-repo # trust a specific repodotagents trust add git.corp.example.com # trust a git domaindotagents trust list # show trusted sourcesWhen defaultRepositorySource = "gitlab", shorthand trust sources are stored as
GitLab domain rules, such as gitlab.com/my-company.
Explicit Allow All
Section titled “Explicit Allow All”Use allow_all = true to make the intent explicit in shared repositories. This
is functionally the same as omitting the section, but communicates that the
choice was deliberate.
[trust]allow_all = trueLockfile
Section titled “Lockfile”agents.lock tracks which skills are managed and where they came from. It is
auto-generated and should be gitignored.
# Auto-generated by dotagents. Do not edit.version = 1
[skills.find-bugs]source = "getsentry/skills"resolved_url = "https://github.com/getsentry/skills.git"resolved_path = "plugins/sentry-skills/skills/find-bugs"resolved_commit = "0123456789abcdef0123456789abcdef01234567"| Field | Description |
|---|---|
source | Original source from agents.toml |
resolved_url | Resolved git clone URL or HTTP base URL |
resolved_path | Subdirectory within repo where skill was found |
resolved_ref | Resolved ref name, omitted for default branch |
resolved_commit | Installed commit SHA. Informational only |
Local path: skills have source only.
Caching
Section titled “Caching”Cloned repositories are cached at ~/.local/dotagents/, and you can override
that with DOTAGENTS_STATE_DIR.
- Shallow clone per git source.
- All git operations are non-interactive with
GIT_TERMINAL_PROMPT=0. - Git sources refresh on every install.
- Well-known HTTPS sources use a 24-hour TTL.