Mycroft Community Forum

Skill download links on Picroft

Hello there,

Still on the security part of things on Picroft. How can Mycroft prevent downloading a skill from an untrusted source that is not the main repo?! Is this done through msm?!

Mycroft the company dosnt revent users from dooing what ever they want on the users own hardware. Mycroft software dont prevent the user from dooing whatever the user wants to do whit the software. Mycroft is open and free.

MSM can be used to install software from Mycroft Market my

msm install skill-name

that will install the version of skill-name that is aproved by mycroft testers.

if youi want you can install a never / dev version og skill-name by

msm --latest install skill-name

that wil install the master branch from the git-repo where skill-name comes from.

You can even install skills not in market by

msm install https://github.com/somename/skill-name

That is the beauty. So if you dont want to install from sources not accepted by mycroft - then dont do that. On the other hand - if you want you can do that - and even change every part of mycroft as you fit.

1 Like

Thank you @andlo!

Very detailed answer! Great!

I was trying to make sure that users cannot download skills that don’t belong to the market through voice commands (like malicious skills or something), but I guess those commands only concern the Mycroft market place and that is a secure source.

1 Like

Yes installing by voice will only install skills that are in market.

But maybe it were a good idea to have a setting that prevents installing by voice - and maybe extend msm to have a third party warning when installing from unknown git repo.

I am sure that if you make a PR for that Mycroft will be glad for such a contribution :slight_smile:

Yes! That is exactly what I was thinking!

Do you have any idea on how I would be able to do such a thing?! It will also be a great opportunity to find out about their opinion on the subject.

1 Like

Well it depends on “where you are” and what you do alreddy know. But headlines is:

  1. Fork the github repo
  2. Install from your forked repo
  3. Make the changes
  4. push to your forked repo
  5. test and make more changes
  6. push some more
  7. when satified make a Pull request back to where you forked from

I think making a third party warning should be in mycroft-msm
by defining a string having the warning text, and print that before installation and call ask_yes_no() and if no exit and if yes continue.

and a setting for install skills by voice added to skill-installer
by adding a setting in settingmeta as a checkboks “like install skills by voice” and let tht be set default but letting user turn off voice installation.

If you want to test how to fork, change and push and pull on github, you are welcome to do that on one of my repos - test-test could be fine :slight_smile:


This skill isnt dooing much (just a skill template made with mycroft-msk

If you dont have a IDE (integrated devolopment center) you could use the Theia IDE skill as that will install a complete IDE and setup everything for you. Do use latest version by
msm --latest install theia-ide