Status: non-normative companion to spec.md.
This guide is for the operator: the person who authorizes an assistant to
follow an assistant-guide.txt and supervises it while it acts. It is not
part of the normative profile. It collects the practices that go with
adopting GuideCheck, regardless of how high a guide scores against the
profile. Read it alongside spec.md section 27, which enumerates the threats
the profile does not address.
GuideCheck is one layer in a defense stack. It is the layer that prevents a presentation surface from hiding instructions from a human while feeding them to an assistant. It is not, by itself, a secure install procedure. The practices below remain the operator's responsibility regardless of how high a guide scores against the profile.
- Read the full guide. The size limits in
spec.mdsection 8 exist so that "read the full guide" is realistic. If the guide is too long to read, treat that as a finding. - Confirm the canonical URL with the publisher through a channel that does not depend on the same web property. For high-consequence operations, prefer a signed release note, a code-signing key fingerprint, or a person you trust who can vouch for the publisher.
- Compare the
applies-tofield against the version of the software you actually have. A guide written for>=2.3.0, <3.0.0is not a guide for your3.1.0install. - Check
statusandvalid-until. Adeprecatedor expired guide is a stop, not a warning. - Decide your tolerance per action class before you start. Pre-committing to
"I will not approve any
privilegedaction today" prevents in-the-moment approval drift.
- Keep the assistant on least-privilege tool permissions. A guide that fits this profile still needs a sandbox underneath it.
- Do not let the assistant raise its own permissions, disable sandboxing, or
batch approvals across action ids.
spec.mdsection 12 forbids the guide from asking; the runtime should also forbid the assistant from doing. - Watch the verbatim action block at each approval prompt. If the displayed command does not match what the assistant is about to run, stop and investigate.
- Maintain operating-system permission prompts. If the OS asks for elevation, that question is for you, not the assistant.
- Log executed actions. Post-hoc review is the only defense against approval-fatigue mistakes.
- Back up state before any destructive or persistence-changing action. The guide may declare a command non-destructive; your backup is what protects you when the declaration is wrong.
- Run unfamiliar guides in a disposable environment first: a VM, a container, a scratch workstation, a non-production cluster. Promotion to production is a separate decision.
- Apply network egress controls at the host or network layer. The
egressfield in a guide is a declaration; your firewall is the enforcement. - Keep secrets out of the assistant's reach.
spec.mdsection 16 forbids secrets in the guide; you still must not hand the assistant a session that has unrestricted access to credential stores.
- code signing, release attestation, and software bill of materials for the underlying project
- package manager trust policy and lockfile review
- vulnerability scanning of the dependencies the guide installs
- security review of the underlying software itself
- incident response, monitoring, and audit
- organizational change-management for production systems
If you are deploying AI-assisted installs at scale, treat conforming guides as one control among many. A program built on this profile alone is under-defended.
Do not run a guide through a verifier, see a green result, and skip reading it. The verifier is a filter that catches a specific class of presentation-layer and structural attacks. It cannot detect a publisher who has decided to harm you in plain ASCII. Your reading is the control that catches that case.
A guide is not trustworthy because:
- it is on a domain that hosts other things you trust
- it has a high conformance level
- a verifier returned no findings
- it is referenced from a popular
llms.txt - an assistant said it looked fine
A guide is provisionally trustworthy when its publisher is known, its content matches your expectations for the task, its actions are scoped and approval-gated, and the surrounding operational controls (backups, sandbox, least privilege, signed releases) are in place. Conformance contributes to that judgment. It does not constitute it.