Capability manifest

The capabilities block in a SKILL.md frontmatter is the skill's self-declaration of what it's allowed to do. In v0, it's an honor system — SkillOx compares the declared capabilities against what the markdown looks like it's actually doing, and flags mismatches. Later, the WebAssembly sandbox enforces it at runtime.

Shape

capabilities:
  filesystem:
    read:  ["./src/**", "~/.config/myapp/**"]
    write: ["./src/**"]
  network:
    egress: ["api.acme.io:443", "cdn.acme.io:443"]
  process:
    exec: ["prettier", "biome"]
  secrets:
    env: ["ACME_API_KEY"]      # explicitly declared, not harvested
  agent_tools:
    use: ["read_file", "write_file", "run_command"]

Sections

filesystem.read + filesystem.write — glob patterns. References to ~/.ssh/, ~/.aws/, etc. anywhere in the body trigger filesystem-overreach regardless of declaration.
network.egress — host:port allowlist. URLs in the body to hosts not in this list trigger network-egress-undeclared. Only fires when a manifest is present — unmanifested skills get no-manifest instead.
process.exec — list of binaries the skill may shell out to. Empty list = no subprocess. The planned sandbox enforces.
secrets.env — environment variables the skill explicitly needs. A skill that declares ACME_API_KEY and uses it is fine; a skill that touches $ANTHROPIC_API_KEY without declaring it triggers env-var-harvesting.
agent_tools.use — whitelist of agent-side tools this skill needs. v0 doesn't check this; the planned sandbox will.

Why declare?

Three reasons, scaling with milestone:

Today (v0) — declared capabilities are how SkillOx tells whether a network reference is a legitimate operational dependency or an undeclared exfil endpoint. Skills with manifests grade better.
Planned sandbox — the WASM runtime reads the manifest and enforces every syscall against it. Anything undeclared is killed + audit-logged.
Planned Team tier — org policies can require minimum capability declarations (“no skills without a manifest”, “no skills with process.exec”).

Tip: if you author a skill, ship a manifest from day one. It costs five minutes, it's the difference between an A and a B at v0, and it's a hard requirement once the sandbox lands.