Skip to main content
The Palyra Skill system provides a secure, signed artifact format (.palyra-skill) for extending agent capabilities using WebAssembly (Wasm). It implements a layered security model combining Ed25519 code signing, publisher trust via Trust-On-First-Use (TOFU), and a resource-constrained Wasmtime runtime with fine-grained capability grants.

Skill Artifact Format

A skill artifact is a ZIP-compressed archive containing a mandatory manifest, signed modules, and optional assets. The structure is strictly validated to prevent path traversal and unauthorized file inclusion crates/palyra-skills/src/artifact.rs#1-20.

Manifest Structure (skill.toml)

The skill.toml file defines the identity, entrypoints, and required capabilities of the skill. It is parsed using parse_manifest_toml crates/palyra-skills/src/manifest.rs#38-43.
SectionDescription
manifest_versionCurrent version (2) crates/palyra-skills/src/constants.rs#20-20.
skill_idUnique identifier (e.g., acme.echo_http) crates/palyra-skills/src/tests.rs#27-27.
entrypoints.toolsDefines the tool ID, input/output JSON schemas, and risk profile crates/palyra-skills/src/tests.rs#33-47.
capabilitiesExplicit allowlists for HTTP egress, filesystem roots, and secrets crates/palyra-skills/src/tests.rs#49-65.
operator.pluginMaps tools to specific Wasm modules and entrypoint functions crates/palyra-skills/src/tests.rs#79-83.

Internal Artifact Layout

Security and Trust Model

Palyra employs a “Fail-Closed” trust model for skill execution.

Code Signing and Verification

Artifacts are signed during the skills package build flow using an Ed25519 key crates/palyra-cli/src/commands/skills.rs#79-87. The verify_skill_artifact function ensures the signature matches the payload and that the publisher is trusted crates/palyra-skills/src/verify.rs#43-43.

Publisher Trust (TOFU + Allowlist)

Trust is managed via the SkillTrustStore crates/palyra-skills/src/models.rs#19-19:
  1. Allowlist: Explicitly trusted publisher public keys.
  2. TOFU (Trust-On-First-Use): If enabled, the first time a publisher’s key is seen, it is recorded and trusted for subsequent updates crates/palyra-cli/src/commands/skills.rs#145-146.
  3. Integrity: The trust.json file is protected by a SHA-256 HMAC to prevent manual tampering crates/palyra-cli/src/commands/skills.rs#139-139.

Security Audit

Before installation, artifacts undergo a SkillSecurityAudit which checks for:

Wasm Plugin Runtime

Plugins are executed in a sandboxed environment powered by wasmtime. The WasmRuntime enforces strict resource quotas and capability mediation crates/palyra-plugins/runtime/src/lib.rs#1-6.

Resource Quotas

Limits are defined in RuntimeLimits and enforced per-invocation crates/palyra-plugins/runtime/src/lib.rs#44-54:

Capability Mediation

Plugins cannot access the host directly. Instead, they receive opaque integer handles for granted resources crates/palyra-plugins/runtime/src/lib.rs#98-112.

Data Flow: Skill Invocation

Sources: crates/palyra-daemon/src/wasm_plugin_runner.rs#163-186, crates/palyra-plugins/runtime/src/lib.rs#3-6

Plugin SDK and WIT Interface

The interaction between the host and the Wasm guest is defined by the Palyra Plugin SDK using the WebAssembly Interface Type (WIT) format.

WIT Interface (palyra-sdk.wit)

The SDK exposes “Tier A” capabilities via the palyra:plugins/host-capabilities import module crates/palyra-plugins/sdk/src/lib.rs#24-24. Key SDK Constants:

Typed Plugin Contracts

Beyond simple tools, plugins can implement specific host extension points called TypedPluginContractKind crates/palyra-plugins/sdk/src/lib.rs#60-73.
Contract KindPurpose
memory_providerCustom agent memory storage/retrieval crates/palyra-plugins/sdk/src/lib.rs#80-80.
routing_strategyLogic for selecting LLM providers crates/palyra-plugins/sdk/src/lib.rs#82-82.
run_lifecycle_hookLogic executed at agent run start/end crates/palyra-plugins/sdk/src/lib.rs#83-83.
delivery_adapterCustom channel messaging logic crates/palyra-plugins/sdk/src/lib.rs#89-89.

Code Entity Mapping

Sources: crates/palyra-daemon/src/wasm_plugin_runner.rs#163-167, crates/palyra-plugins/runtime/src/lib.rs#22-25, crates/palyra-daemon/src/plugins.rs#68-96

CLI and Console Integration

The skill lifecycle is exposed through the palyra skills CLI and the Web Console.

Sources: