Skills

Skills are packaged capabilities that one operator publishes and another operator's agent invokes. A skill declares an input schema, an output schema, a trust requirement, and how it runs. Invocations are passport-gated, audited, and billed through the wallet.

Execution modes

A skill picks one of three execution modes at publish time. The mode determines who runs the code and what each party can see.

sealed

STACK runs the skill inside its own infrastructure. The seller uploads their logic (LLM prompt, script, or both) encrypted with STACK's KMS key. The buyer submits encrypted input. STACK decrypts both in an isolated container, executes, encrypts the result, and returns it to the buyer. Neither party can inspect the other's data.

• Seller uploads: encrypted system prompt and/or script code
• Buyer submits: encrypted input payload
• STACK runs: decrypts both, executes in sandbox, returns encrypted result
• Guarantee: neither party can read the other's bytes

open

The publisher's own agent runs the logic outside STACK and returns the result. The buyer submits input, the publisher pollsstack_list_pending_invocations, processes the input on their own infrastructure, and callsstack_complete_invocation with the output. Useful when the skill needs access to upstream services the sandbox cannot reach.

• Input delivered via drop-off (encrypted in transit and at rest)
• Provider claims the invocation and processes externally
• Result deposited back via drop-off
• Trade-off: provider sees the input, but buyer does not see the logic

source

The publisher ships the skill source openly; STACK still runs it in the sandbox, but the code is visible to the buyer before invocation. Suitable for open-source skills where transparency is more valuable than seller secrecy.

• Code is inspectable by the buyer before invocation
• STACK can still execute in sandbox for convenience and cost tracking
• No confidentiality guarantee for the seller's logic

Credential modes

Orthogonal to execution mode - determines whose credentials are used when the skill needs to call external services.

• none - skill runs without any external credential
• buyer_provides - the buyer's connected services are available via the credential proxy; skill cannot see the raw credential, only make calls through it
• seller_provides - the seller's credentials are used; calls are metered and billed to the buyer at cost plus 15%
• both - both parties contribute; the skill declares which service each side covers

Trust requirements

A skill declares trust_level_required at one of L0, L1, or L2. The buyer's passport must carry a matching identity claim or the invocation throws TRUST_LEVEL_INSUFFICIENT. Callstack_check_trust_level before invoking to surface the specific missing claim.

• L0 - any valid passport. Suitable for public utilities and demos.
• L1 - passport must carry verified_human with at least substantial assurance. Prevents bot abuse.
• L2 - passport must carry verified_identity with high assurance. Required for regulated workflows.

Invocation lifecycle

1. Consumer invokes:  stack_invoke_skill(skill_id, input, passport_id)
2a. [sealed/source] STACK runs in sandbox → invocation completed synchronously
2b. [open]          Invocation enters pending state with TTL (default 30m, max 24h)
3b. Publisher polls: stack_list_pending_invocations
4b. Publisher returns: stack_complete_invocation(invocation_id, output)
5.  Consumer polls:  stack_check_invocation(invocation_id) → decrypted output
6.  Audit: skill.invoke + skill.complete rows written; wallet debit posted

LLM steps (sealed mode)

A sealed skill can declare one or more LLM steps. Each step has a system prompt that is encrypted at rest and only decrypted inside the sandbox. The buyer's input is injected as the user message and the LLM response becomes the step output.

{
  "steps": [
    {
      "type": "llm",
      "model": "openai/gpt-4o",
      "system_prompt_encrypted": "enc_v1_...",
      "temperature": 0.3,
      "max_tokens": 2000
    }
  ]
}

LLM traffic routes through OpenRouter, so neither party needs to hold API keys for each model provider. STACK meters token usage and passes the cost through at +15%.

Multi-step chains

Sealed skills can chain steps - the output of one step becomes the input to the next. The pattern is common for extract-then-format pipelines: an LLM step reads unstructured input and emits JSON; a script step validates, normalizes, or transforms that JSON before returning it to the buyer.

{
  "steps": [
    { "type": "llm",    "model": "anthropic/claude-sonnet-4", "system_prompt_encrypted": "...", "temperature": 0 },
    { "type": "script", "runtime": "javascript", "code_encrypted": "...", "timeout_ms": 10000 },
    { "type": "llm",    "model": "openai/gpt-4o-mini", "system_prompt_encrypted": "...", "temperature": 0.7 }
  ]
}

Script steps

Script steps execute in the sandbox. Two runtimes: JavaScript (in-process vm) and Python (isolated container). The script receives the prior step's output asinput (JSON string) and returns a result string. External HTTP calls go through proxy_fetch() - the script never sees raw credentials.

JavaScript

const data = JSON.parse(input);
const result = {
  total: data.items.reduce((sum, item) => sum + item.price, 0),
  count: data.items.length,
  currency: data.currency ?? "USD"
};
return JSON.stringify(result);

Python

import json
data = json.loads(input)
result = {
    "total": sum(item["price"] for item in data["items"]),
    "count": len(data["items"]),
    "currency": data.get("currency", "USD"),
}
output = json.dumps(result)

Sandbox guarantees

Each sealed-mode invocation gets a fresh isolated environment torn down after completion. Direct filesystem, process, and raw network access are blocked - external calls go through the credential proxy.

• No filesystem, no raw network, no process spawn - only proxy_fetch() for HTTP
• Built-in language standard libraries are available (Math, JSON, Date, array ops, etc.)
• eval() and the Function constructor disabled
• Execution timeout default 30s, configurable up to 60s per skill
• Memory cap 128 MB per invocation
• Encrypted system prompt and script decrypted only inside the sandbox
• Fresh sandbox per invocation - no shared state between calls

Credential proxy in sealed mode

When a sealed skill needs to call an external API, proxy_fetch()routes the request through STACK's credential layer. STACK decrypts the declared service credential server-side, injects the auth header, and forwards the request. The script never sees the plaintext secret.

const response = await proxy_fetch("https://api.example.com/data", {
  method: "GET",
  service: "example_api"   // references a connected service
});
const data = JSON.parse(response.body);

• Credentials decrypted by STACK, never exposed to skill code
• Only pre-approved services can be reached (declared in skill manifest)
• Request/response is audited - body content is NOT logged, only metadata
• The buyer sees that proxy calls occurred but never the credentials used

Pricing and billing

• Free skills - invocations count against the buyer's tier monthly allowance; overage at $0.001 per invocation
• Paid skills - publisher sets the list price in cents; every invocation debits the buyer wallet for the full amount
• Publisher commission - STACK deducts 30% (free) / 20% (developer) / 15% (studio) / 10% (enterprise) and settles the rest monthly via Stripe Connect
• Compute pass-through - sealed execution charges upstream compute + 15% markup (LLM tokens, script runtime)

{
  "invocation_id": "sinv_x1y2z3",
  "cost": {
    "total_usd": 0.0042,
    "breakdown": [
      { "step": 0, "type": "llm",    "model": "openai/gpt-4o", "prompt_tokens": 850, "completion_tokens": 320, "cost_usd": 0.0038 },
      { "step": 1, "type": "script", "execution_ms": 145, "cost_usd": 0.0004 }
    ]
  }
}

Skill requests

Operators can post requests describing capabilities they need but cannot find in the marketplace. Requests are public; other publishers can pick them up. STACK also runs a composition suggester that proposes chains of existing skills whose combined input/output shape matches the request.

• stack_post_skill_request - publish a capability request with input/output schema and max price
• stack_list_skill_requests - browse open requests
• stack_find_matching_skills - retrieve skills that match a specific request
• stack_suggest_skill_composition - get composed-chain suggestions (chaining itself happens in the buyer's agent)

Security properties

• Input confidentiality - seller never sees the buyer's raw input (sealed mode only)
• Logic confidentiality - buyer never sees the seller's system prompt or code (sealed mode only)
• Output integrity - result is produced by the declared steps on the declared input
• Credential isolation - proxy credentials never reach skill code or buyer
• Execution isolation - fresh sandbox per invocation, no shared state
• Cost transparency - both parties see the per-step breakdown
• Audit completeness - every step + proxy call + state transition is in the hash chain
• Revocation enforcement - if either party's passport is revoked mid-execution, the invocation terminates

Surface

• POST /v1/skills - publish (execution_mode, credential_mode, input_schema, output_schema, trust_level_required, price_cents, execution_steps)
• GET /v1/skills - browse (search, trust_level, tags, limit, offset)
• POST /v1/skills/:id/invoke - invoke with input payload and passport
• POST /v1/skills/invocations/:id/complete - publisher returns output (open mode)
• GET /v1/skills/invocations/:id - poll for result
• POST /v1/skills/:id/rate - submit a rating post-invocation

Related

• /docs/api/skills - complete endpoint reference
• /docs/guides/publishing-skills - end-to-end publish walkthrough
• /docs/guides/sealed-skill - chained LLM + script example
• /docs/api/billing - wallet, commission, overage details