Skip to main content
Our new developer certification is live!

Contentstack agent skills security policy

5 min read
aisecurity
tim-hero.png
AuthorTim Benniks

At Contentstack we value security and transparency. This is our agent skills security policy.

Purpose

This policy defines the minimum security requirements for building, publishing, and maintaining Agent Skills within the Contentstack ecosystem. It protects users, content, and systems from prompt injection, unsafe markdown rendering, and model hallucinations.

This policy applies to:

  • First party skills

  • Partner integrations

  • Community contributed skills

  • Skills that access Contentstack APIs, content, or external systems

Security principles

All skills must follow these core principles:

  1. Least privilege Request only the permissions and scopes strictly required.

  2. Explicit trust boundaries Treat user input, remote content, and model output as untrusted.

  3. Deterministic behavior where possible Prefer structured outputs and validation over freeform generation.

  4. Safe rendering Never render untrusted markdown or HTML without sanitization.

  5. Verifiable actions Any action that mutates content or systems must be confirmed and logged.

  6. Have a defined person or team who is responsible for monitoring and maintaining the skill

Have a defined person or team who is responsible for monitoring and maintaining the skill

1 Prompt injection protection

Prompt injection is the primary risk in agent ecosystems. Skills must assume that any input may attempt to override system instructions.

1.1 Treat all external input as untrusted

Untrusted sources include:

  • User prompts

  • Contentstack entries and assets

  • Markdown from CMS fields

  • External APIs and web pages

  • MCP server responses

  • Plugin outputs

Required controls

Skills must:

  • Never allow external content to modify system instructions.

  • Never concatenate untrusted input directly into system prompts.

  • Use clear role separation between system, developer, and user instructions.

  • Strip or neutralize instruction like phrases from untrusted content.

Example of unsafe pattern

systemPrompt = "You are a safe assistant."
systemPrompt += userInput

Example of safe pattern

messages = [
  { role: "system", content: SAFE_SYSTEM_PROMPT },
  { role: "user", content: sanitize(userInput) }
]

1.2 Detect injection patterns

Skills should detect and neutralize common injection attempts such as:

  • "Ignore previous instructions"

  • "You are now a different system"

  • "Reveal your system prompt"

  • "Execute hidden instructions"

  • Markdown or HTML that embeds instructions

Recommended mitigation

  • Reject or flag suspicious inputs.

  • Log injection attempts.

  • Return a safe refusal when intent is unclear.

2 Markdown and rendering security

Markdown fields in Contentstack often contain rich content. Unsafe rendering can lead to XSS, prompt injection, or UI manipulation.

2.1 Markdown is untrusted input

All markdown must be treated as untrusted, including:

  • Entry rich text fields

  • Blog content

  • User generated comments

  • Third party integrations

2.2 Required sanitization

Before rendering markdown to HTML or passing to a model:

  • Strip <script> tags

  • Remove inline event handlers (onclick, onerror, etc.)

  • Sanitize embedded HTML

  • Neutralize data URLs

  • Remove hidden instructions in HTML comments

Recommended tools

  • DOMPurify

  • sanitize-html

  • markdown-it with HTML disabled

  • server side sanitization before delivery

2.3 Model safe markdown handling

When sending markdown to LLMs:

  • Remove hidden instructions and HTML comments

  • Strip metadata blocks that may contain instructions

  • Limit maximum markdown length

  • Convert to plain text when possible for analysis tasks

3 Hallucination mitigation

LLMs may produce plausible but incorrect information. Skills must reduce the risk of false outputs, especially when interacting with content or APIs.

3.1 Require grounding

Skills must ground responses in:

  • Contentstack data

  • Verified API responses

  • Explicit user input

  • Known schemas

Required controls

  • Use retrieval augmented generation (RAG) where applicable.

  • Cite content sources when generating summaries.

  • Avoid inventing fields, IDs, or content types.

3.2 Structured output enforcement

Prefer structured outputs over free text.

Example

Instead of:

"Here is the content model"

Use:

{
  "content_type": "blog_post",
  "fields": [...]
}

Validate outputs against schemas before use.

3.3 Refusal behavior

Skills must refuse when:

  • Data is missing or ambiguous

  • Confidence is low

  • The request requires guessing

  • The model attempts to fabricate content

Example refusal

I cannot determine the content type from the provided data. Please specify the content type UID.

4 Tool and action safety

Skills that perform actions must implement safeguards.

4.1 Confirmation for destructive actions

Require explicit confirmation for:

  • Deleting entries

  • Publishing content

  • Changing environments

  • Rotating tokens

  • Modifying permissions

4.2 Scope enforcement

Skills must:

  • Enforce environment scoping

  • Prevent cross stack access

  • Validate API tokens and scopes

  • Never expose secrets in outputs

5 Logging and observability

When possible, Skills must log:

  • Injection attempts

  • Refusals

  • Destructive actions

  • Permission errors

  • External API failures

Repeated injection or manipulation attempts must send an alert and be investigated by the skill owner. Logs must not contain secrets or tokens.

If it is not possible to log Skill data, there must be a comment with the Skill noting why and how issues could be investigated.

6 Secure skill design checklist

Before publishing, skill authors must verify:

Prompt safety checklist

  • No untrusted input in system prompts

  • Injection patterns detected and handled

Clear role separation in messages

Markdown safety

  • Markdown sanitized before rendering

  • HTML disabled or sanitized

  • Hidden instructions removed

Hallucination controls

  • Responses grounded in real data

  • Structured outputs used where possible

  • Refusal behavior implemented

Action safety

  • Confirmation required for destructive actions

  • Permissions scoped correctly

  • Secrets never exposed

Observability

  • Security events logged

  • No sensitive data in logs

7 Inventory

Contentstack will maintain an inventory of Skills documented at . The inventory must list:

  • The name of the skill

  • What function the skill is performing

  • Who the maintainer/contact person for the Skill is

  • A link the Checklist from this policy signing off on the review

8 Non compliance

Skills that do not comply with this policy may be:

  • Rejected from the marketplace

  • Disabled or sandboxed

  • Revoked from Contentstack integrations

9 Future considerations

This policy will evolve to address:

  • Model level guardrails

  • Signed skill manifests

  • Runtime sandboxing

  • Trust scoring for community skills