skilmoAI Skills and Context moderation

Technology

Context is the new source code.

Andrej Karpathy·Sequoia AI Ascent 2026

Contents
  1. Process First
  2. Supply Chain Attacks
  3. Classifiers
  4. Custom Vocabulary
  5. PII Sanitisation
  6. Verification & Trust
  7. FAQ

This is not a feature list. It is how we think about putting AI to work inside a regulated company — and why most deployments fail before the first prompt.

PII sanitisation and skill governance are not bolt-on features. They are the logical consequences of one idea: context is the new source code.

ISO 27001 certified auditorsEU incorporated · EstoniaLocal-first · nothing leaves the building

01 · Process First

Most LLM projects fail before the first prompt.

Most LLM context windows contain PII on day one. Most teams find out when the DPO asks.

Companies that avoid this don't start with the model — they start with a process map. They trace where decisions are made, where personal data flows, and what the model will actually see. Then they build a knowledge system: the structured context the LLM reads as its operating reality. The context window is the program. Bad context is a liability.

SEQUENCE The five-stage setup

  1. Process mappingWhich workflows touch an LLM, what decisions it influences, who owns the outcomes.
  2. Risk assessmentWhere PII enters the workflow, and what regulatory obligations apply.
  3. Knowledge systemThe structured context the LLM reads: policies, definitions, decision rules, org vocabulary.
  4. RAG layer optionalRetrieval-Augmented Generation (RAG) connects the LLM to live internal documents. Every retrieved chunk is a potential PII exposure point and must be sanitised before it enters the context window.
  5. Context engineeringShaping what the LLM sees on each request. The context is the program.
  6. Verification loopTest harness, held-out test sets, regression checks after every change.
SBOM for AIJust as every software dependency gets a security review, every AI instruction file, model, and tool in this stack needs verification — a Software Bill of Materials (SBOM) for your AI layer. Skilmo is that verification layer.

Operating principle

Context is the new source code. What you put into an LLM determines what comes out. Bad context produces bad output — reliably, at scale.

— from Skilmo's operating principles

02 · Supply Chain Poisoning

Your AI assistant executes instructions you've never read.

Dark skills spread like viruses — through the packages your team already trusts.

Every AI tool your team installs ships with instruction files — CLAUDE.md, AGENTS.md, system prompts, tool configurations. These files tell the AI assistant how to behave. When a compromised package lands in your dependency tree, its instruction files execute silently alongside your legitimate ones.

A well-meaning vendor ships a developer tool. The tool's CLAUDE.md contains hidden instructions injected by an attacker. Every developer on your team now has a compromised AI assistant — and no one triggered any security alert.

ATTACK CHAIN How supply-chain poisoning works

supply-chain-poisoning · trace
  1. Attacker publishes a popular-looking npm, PyPI, or Crates.io package.
  2. Package installs an instruction file (CLAUDE.md / .cursorrules) in the project directory.
  3. Instruction file contains hidden characters — zero-width Unicode (U+200B, U+200C) — invisible to humans, read by AI.
  4. Hidden instructions direct the AI to exfiltrate SSH keys, cloud credentials, or wallet seeds during normal tasks.
  5. Developer sees normal AI output; malicious actions run in the background.
  6. The instruction file propagates to every project using the package.
Dark skillsnoun· AI supply-chain security

Dark skillsare AI instruction files — prompts, tool configs, skill definitions — running inside your organisation's LLM stack without IT knowledge or approval. Like unreviewed code dependencies, they execute with full context access. Unlike code dependencies, no scanner currently detects them by default.

Dark skills are also the primary vector for prompt injection — hidden instructions that hijack what the LLM does with legitimate user requests.

Reference. The TrapDoor campaign (May 2026) planted malicious instruction files across 34 packages on npm, PyPI, and Crates.io. Standard security scanners did not flag them.

What Skilmo does

Dark Skills Audit

We inventory every instruction file in your AI stack, classify each as verified / unverified / risk-flagged, and deliver a structured report. It is the SBOM for your AI layer.

03 · Classifiers

A 125M-parameter classifier beats a 70B model at your specific task.

Fast, specialised, and yours. It runs locally. It doesn't phone home.

General-purpose LLMs are generalists. For specific, high-frequency tasks — detecting PII in documents, classifying intent in support tickets, routing Jira issues — a small fine-tuned classifier runs in under 5ms, outperforms the general model on your data, and costs nothing per call once deployed. You own it.

PIPELINE How training works

  1. Collect 200–400 labelled examples from your actual data (anonymised).
  2. Pre-process: normalise formats, handle edge cases, split into train / validation / test sets.
  3. Fine-tune on GPU — typically 7 iterations, each validated against a held-out test set.
  4. Early stopping prevents overfitting; the validation F1 score gates each iteration.
  5. Security audit: adversarial samples, edge-case stress test, output boundary checks.
  6. Deploy: the classifier runs in your Docker container, <5ms inference latency.
training-run · compute
Hardware: NVIDIA H100 (80GB HBM3) # the GPU that runs the training
          3.5TB/s memory bandwidth.

A BERT-class NER fine-tune completes one iteration in ~6 GPU-hours.
Seven iterations → one validation-gated model.

Raw compute cost:  ~€180
The expertise is what costs.

Field notes — what we've learned

  • Models trained on your data outperform base Presidio by 15–40% on domain-specific identifiers.
  • The 6th and 7th iterations rarely improve F1 above 0.3% — they exist to confirm the plateau, not chase gains.
  • Overfit signals appear in iteration 4–5 if training data is too small; we stop and collect more rather than push through.
  • Hallucination rates on domain-specific entities drop sharply after fine-tuning — a general model invents plausible-looking employee IDs; the fine-tuned classifier flags them instead.

04 · Custom Vocabulary

Foundational models don't know your company's language.

Your internal vocabulary is PII.

Project codes map to client names. Ticket IDs map to employees. Workflow state labels reveal process context that regulators may classify as personal data. A foundational model that can't read your language can't protect it — it will hallucinate your identifiers, skip them, or pass them through unredacted.

Fine-tuning teaches the model your vocabulary. A labelled dataset of 100–300 examples and a LoRA adapter (Low-Rank Adaptation — a technique that modifies a small fraction of model weights without full retraining) are enough to make a general model domain-fluent on your specific patterns.

PATTERNS What custom detection covers

Custom pattern types Skilmo learns from your data
Pattern typeExampleWhy it matters for PII
Ticket referencesPROJ-2847, ZD-10293Often linked to named individuals in your CRM — not redacted by default.
Workflow state labelsAWAITING_GDPR_REVIEW, CLIENT_ESCALATEDReveal process context; leaked with document metadata.
Internal codenamesProject Falcon, Client AmberResolve to real organisations in internal knowledge systems.
Custom ID formatsEMP-EST-0042, INV/2026/03/441Org-specific; no public training data exists for them.
State machine transitionsONBOARDING→ACTIVE→SUSPENDEDEncode business logic; regulators may classify as personal data in context.

Technical note.Fine-tuning uses LoRA (Low-Rank Adaptation) — modifying a small fraction of a model's weights without retraining from scratch. A 7B model with a LoRA adapter fine-tuned on 300 examples runs on a single H100 in under 12 hours.

05 · PII Sanitisation

PII is the cornerstone — every request is a potential leak.

Once you've mapped your processes, the PII problem becomes obvious.

When you complete the process map from Section 01, one pattern appears in almost every workflow: personal data flows through the LLM request. Names, contract parties, employee IDs, health indicators — all in the context window, all transmitted to an external API endpoint outside EU jurisdiction.

Reversible anonymisation solves this without breaking the workflow. The AI receives sanitised text, produces a useful response, and your application receives the response with originals restored. The external model never sees real values.

FLOW How reversible anonymisation works

  1. OutboundSkilmo replaces each PII span with a placeholder — [PERSON_1], [IBAN_1], [EE_ISIKUKOOD_1].
  2. Key storageMapping stored locally under a one-time session key — never transmitted.
  3. AI processingThe AI receives sanitised text and responds normally.
  4. InboundSkilmo restores the originals into the response before your application sees it.

COVERAGEBaltic & Nordic identifiers

Identifier coverage vs. standard tooling
IdentifierStandard toolsSkilmo
Estonian isikukood✗ missedmod-11 validated
Latvian personas kods (2021 format)✗ old format onlypost-2021 format
Lithuanian asmens kodas✗ misseddetected
Finnish henkilötunnus✗ misseddetected
Custom org identifiers✗ missedvia company.yaml
ComplianceEvery sanitise operation writes a structured audit log entry. Exportable as JSON or CSV. Satisfies the GDPR Art. 30 processing-records requirement.

06 · Verification & Trust

LLMs drift. The context that worked last month may not work today.

Trust nothing, ship tested.

Models update without announcement. Regulatory guidance shifts. Attack patterns evolve. An AI deployment without a verification loop is a system you're flying blind. Every classifier we ship includes a test harness: held-out test sets, regression suites, adversarial samples for edge cases. When the underlying model updates, the test suite runs automatically. If F1 drops, we know before your users do.

STACK The verification loop

  • Held-out test set — 20% of training data reserved, never used in training, gates every iteration.
  • Regression suite — curated edge cases from production incidents, re-run after every change.
  • Adversarial samples — deliberately crafted inputs designed to fool the classifier, run before every deployment.
  • Drift monitoring — F1 score tracked over time; alerts when accuracy degrades past threshold.
  • Human audit checkpoint — Klaus Jõgi reviews outputs on every engagement before sign-off.

Operating principle

You can't ship what you can't test. Untested AI output isn't finished — it's a confidence machine.

— from Skilmo's operating principles

REGULATED Why this matters

ISO 27001 Annex A.12 requires evidence of system testing and monitoring. GDPR Art. 32 requires appropriate technical measures. A test harness is not optional in regulated deployments — it is the evidence. Zero-trust architecture applied to AI means every model output is treated as untrusted until validated — the test harness is the trust gate.

Keeping a classifier current requires monitoring model updates, re-running test suites, and re-calibrating when accuracy drifts. Across multiple classifiers, multiple document types, and a changing regulatory landscape — this is a full-time function. We maintain it as part of every engagement.

We are ISO 27001 certified IT security auditors. We treat your AI stack like a software supply chain — every component verified, every instruction file accounted for. We sign off on deployments. If something we build introduces risk, we find it before it ships.

Start with a Dark Skills Audit

Low-commitment entry point. We inventory your AI instruction files and deliver a structured report.

Reference — Definitions & Technical Detail

FAQ

Each answer is written to stand alone as a complete definition.

What is PII (personally identifiable information)?

PII is any data that can identify a specific individual — name, email address, phone number, national ID, date of birth, passport number, financial account numbers, IP address, or any combination that makes a person identifiable. GDPR Recital 4 defines it as any information that directly or indirectly identifies a natural person.

What is reversible anonymisation?

Skilmo replaces each PII span in your text with a placeholder token such as [PERSON_1] or [EMAIL_ADDRESS_1]. The original values are stored locally under a one-time key. After your AI model responds, Skilmo substitutes the originals back into the response. The net effect: the AI never sees the real values, but your application receives a response with the originals restored.

What is MCP (Model Context Protocol)?

MCP is an open standard published by Anthropic for connecting AI assistants to external tools and data sources. Claude Code, Cursor, and Copilot can call MCP-compatible tools directly during a conversation. Skilmo exposes its PII sanitiser as two MCP tools — sanitize_pii and restore_pii — so AI coding assistants can redact and restore personal data without leaving the IDE.

What is Skilmo?

Skilmo is a local-first PII sanitiser for companies using Claude, GPT, or Gemini. It runs in Docker on a laptop or a server. Nothing leaves the building.

What PII does Skilmo detect?

Standard PII (email, phone, credit card, IBAN, IP address, national ID, date of birth, passport, URL, credentials), Baltic & Nordic identifiers (Estonian isikukood with mod-11 validation, Latvian personas kods, Lithuanian asmens kodas, Finnish henkilötunnus, Estonian company registration, Estonian IBAN), and organisation-specific identifiers (employee IDs, project codenames, client references) defined via company.yaml.

How is Skilmo different from Microsoft Presidio?

Skilmo builds on Presidio and adds: Baltic & Nordic personal identifier detection, a caller-carries-key API for reversible anonymisation, MCP tools for Claude Code, a GDPR-aligned audit log with recognizer metadata, a single zero-outbound Docker container, and a DPA backed by a human auditor.

Where is data sent?

Nowhere. Skilmo runs entirely inside your Docker container. Sanitised text flows out to your chosen AI provider; original PII is restored locally in the response.

Is Skilmo GDPR-compliant?

Skilmo helps you meet GDPR Articles 25, 30, and 32. Every sanitise operation produces a structured audit log entry; logs are exportable as JSON or CSV. Infopol OÜ is incorporated in Estonia (EU) and provides a standard Data Processing Agreement with every paid plan.