Acceptable Use Policy

Effective date: 2026-03-14 Last updated: 2026-03-14

This policy defines what Users, Sellers, and Buyers may not upload, publish, distribute, install, run, or attempt to do through the Marketplace. Because the Marketplace distributes installable AI skills and operational bundles that can interact with local files, remote systems, APIs, browsers, databases, and privileged environments, this policy covers both harmful content and harmful use.

Terms used in this policy (Operator, Marketplace, Seller, Buyer, User, Listing, Skill Bundle, Entitlement, and others) have the meanings defined in our Shared Definitions and Terms of Service.

1. Scope

This policy applies to every person and entity that interacts with the Marketplace in any capacity. That includes Sellers who submit, update, or maintain Listings; Buyers who browse, download, install, or run Skill Bundles; Users who interact with the Website, Telegram Bot, Mini App, Seller console, Delivery endpoints, or related Marketplace systems; and visitors who submit requests or interact with support channels.

Importantly, this policy governs both what is uploaded to the Marketplace and how Users use the Marketplace and its content. A Seller who uploads a compliant Skill Bundle can still violate this policy through deceptive Listing descriptions. A Buyer who purchases a legitimate Skill Bundle can still violate this policy by using it for unlawful purposes. The Marketplace enforces this policy across the full lifecycle of content — from submission and moderation, through publication and delivery, to installation and runtime use.

2. Why We Enforce This Policy

The Marketplace distributes executable and semi-executable operational material — AI skills, automations, scripts, prompts, and configuration bundles. This creates a higher abuse surface than a standard content platform. This policy exists to protect:

Buyers from unsafe, deceptive, or harmful Listings
Sellers from theft, impersonation, and bad-faith redistribution
Third-party services and infrastructure from abuse through Marketplace-distributed content
The Marketplace from platform enforcement actions, legal claims, and security incidents

Moderation is an integrity function. We enforce this policy to maintain trust, not to exercise arbitrary censorship.

3. Core Rules

Every User of the Marketplace must use it only for lawful purposes and in good faith. You may not use the Marketplace to facilitate unauthorized access to any system, to commit or assist fraud, or to deceive other Users, third parties, or the Operator. You may not upload or distribute content that you do not have the right to provide — whether because it infringes someone else's intellectual property, violates a confidentiality obligation, or is otherwise unlawfully obtained. You may not interfere with the normal operation of the Marketplace, its Users, or any third-party system, and you may not attempt to bypass access controls, licensing limits, moderation decisions, or account restrictions imposed by the Operator.

Because the Marketplace distributes installable Skill Bundles that can interact with a Buyer's local environment, there is a specific transparency obligation for Sellers: every Skill Bundle must be described truthfully in its Listing. Sellers must not conceal risky behavior, elevated privileges, external network connections, data collection, persistence mechanisms, or other capabilities that a reasonable Buyer would need to understand before installing or running the bundle. This transparency requirement is the foundation of trust in the Marketplace and is enforced through the privilege model described in Section 6.

4. Prohibited Content

The following categories of content are prohibited on the Marketplace. Violations are classified by severity level (see Section 10 for the enforcement framework).

4.1. Malware and Hostile Code — Severity: Critical

Malware, spyware, ransomware, rootkits, or destructive scripts
Credential harvesters, keyloggers, or token stealers
Hidden persistence mechanisms (adding to agent autostart, modifying system startup, creating hidden scheduled tasks)
Packages that install or execute code without the Buyer's knowledge or consent
Hidden auto-update mechanisms that download and execute new code without disclosure

4.2. Unauthorized Access and Exploitation Tools — Severity: Critical

Skill Bundles designed for unauthorized access, exploit delivery, brute-force attacks, phishing, or account takeover
Tools or instructions primarily intended for security bypass of systems the user does not own or have authorization to test
Payloads designed for lateral movement, privilege escalation, or persistence in unauthorized environments

Note: Legitimate security-research, penetration-testing, and red-team tools are permitted only if clearly labeled as such, limited to authorized-use scenarios, and accompanied by appropriate disclosure. See Section 6.

4.3. Supply-Chain Attacks — Severity: Critical

Manifests or install scripts referencing typosquatting packages (packages with names designed to mimic legitimate dependencies)
Dependencies sourced from unverified or attacker-controlled registries or URLs
Post-install hooks, scripts, or mechanisms that fetch and execute arbitrary remote code during or after installation
Hidden remote payloads: Skill Bundles that appear self-contained but download or execute additional code from external sources without disclosure

4.4. AI-Specific Abuse — Severity: Critical to High

Prompt injection bundles: Skill Bundles containing prompts or instructions designed to inject commands into the Buyer's LLM runtime, hijack agent behavior, or override safety controls
Jailbreak and safety-bypass content: Skills designed to circumvent content filtering, safety alignment, or usage restrictions of AI providers (including but not limited to OpenAI, Anthropic, Google, and others)
Side-channel exfiltration: Skills that exploit agent capabilities (tool-calling, markdown rendering, MCP servers, browser automation) to exfiltrate data from the Buyer's environment to external servers
Deceptive agent manipulation: Skills that misrepresent their behavior to the host agent runtime — e.g., claiming to perform one action while executing another

4.5. Credential and Secret Theft — Severity: Critical

Content that facilitates theft or unauthorized collection of passwords, API keys, tokens, cookies, session data, or private keys
Skills designed to scrape, intercept, or exfiltrate credentials from the Buyer's environment
Bundles that embed, expose, or transmit third-party secrets

4.6. Unauthorized Data and Privacy Violations — Severity: High

Unlawfully obtained datasets, documents, or code
Content that exposes personal data, confidential business information, or third-party secrets without authorization
Skill Bundles containing scraped personal data (names, emails, phone numbers, etc.) obtained without the data subjects' consent
Content that enables mass surveillance, profiling, or tracking of individuals based on protected characteristics

4.7. Intellectual Property Violations — Severity: High

Infringing copies of existing Skill Bundles, repositories, documentation, prompts, screenshots, or branding
Listings that remove or obscure required attribution, license terms, or copyright notices from Third-Party Materials or Open-Source Components
Content that violates open-source license obligations (including copyleft requirements)
Impersonation of another Seller, publisher, brand, or official source

See also the IP/Takedown Policy for the complaint and counter-notice process.

4.8. Deceptive Listings and Commercial Fraud — Severity: High

Materially misleading compatibility claims, fake functionality descriptions, or hidden prerequisites
Fake Seller identity, fake authorship claims, or misrepresented affiliations
Review manipulation, fake download counts, or coordinated reputation schemes
Undisclosed paid dependencies presented as included functionality
Dark patterns in Skills that manipulate end-user behavior (hidden opt-outs, deceptive UX for the Buyer's customers)

4.9. Harmful Automation and Third-Party ToS Violations — Severity: Medium to High

Skills whose primary function is to violate the Terms of Service of third-party platforms (e.g., mass-scraping social media, bypassing rate limits, automating actions prohibited by the target platform)
Deceptive automation that impersonates human users on third-party services without disclosure
Tools designed for mass unsolicited messaging, spam, or platform manipulation

Note: Legitimate automation, integration, and scraping tools are permitted when used for lawful purposes with appropriate authorization. The prohibition targets Skills that are designed or marketed for unauthorized use.

4.10. Discriminatory and High-Risk AI — Severity: Medium to High

Skills that automate discriminatory decision-making based on protected characteristics (race, gender, religion, disability, etc.) in areas such as hiring, lending, housing, or law enforcement
Skills designed to intentionally amplify bias in AI systems
Skills designed for mass profiling or surveillance of specific population groups

4.11. Deepfake, Social Engineering, and Fraud Tools — Severity: High

Skills designed to generate deepfake content for deception, impersonation, or non-consensual purposes
Tools that automate social-engineering attacks (pretexting, phishing campaigns, vishing scripts)
Skills for financial fraud: pump-and-dump automation, crypto wallet phishing, market manipulation bots, or fraudulent transaction generation

4.12. Sanctions, Export Controls, and Legal Restrictions — Severity: Critical

Content that violates applicable sanctions, export controls, or trade restrictions
Skills distributed to or designed for use by sanctioned entities

4.13. Catch-All

The categories above are not exhaustive. Content that is unlawful, harmful, or unsafe in ways not specifically enumerated may still be removed or restricted under this policy. Abuse patterns evolve, and new categories of harmful content may emerge that are not yet reflected in this document. When we invoke this catch-all provision, we will provide the affected party with a specific statement of reasons explaining why the content was restricted and which policy principles it violated (see Section 10). To prevent arbitrary enforcement, catch-all actions require review by at least two team members before enforcement action is taken, as described in Section 10.

5. Prohibited Conduct

The following actions by Users are prohibited, regardless of the content involved:

Redistribution: Using Buyer access to redistribute paid Skill Bundles publicly or resell them outside permitted licensing
Scraping and exfiltration: Scraping or exfiltrating protected Marketplace data beyond allowed use
Abuse of automation: Automating access in ways that overload the Marketplace or bypass rate limits or permissions
Evasion: Evading bans, suspensions, moderation flags, or Listing removals (including re-registering under new identities)
Reputation manipulation: Manipulating reviews, ratings, downloads, Seller reputation, or moderation outcomes
Unauthorized testing: Probing for vulnerabilities in the Marketplace or related infrastructure without authorization
Coordination of harm: Using the Marketplace to direct or coordinate unlawful operations
Buyer misuse of legitimate Skills: Using a lawfully purchased Skill Bundle for purposes that are themselves unlawful (e.g., using a legitimate scraping tool for unlawful data collection, or using an automation tool to violate third-party Terms of Service)

6. Skill Privilege Model and Disclosure Requirements

Skill Bundles may request or require different levels of system access. Sellers must disclose the privilege level required by their Skill Bundle in the Listing metadata. The following privilege levels are defined:

Privilege Level	Description	Disclosure Requirement
Sandboxed	No filesystem, shell, network, or external access. Operates within the agent's conversation context only.	Minimal — default assumption
Filesystem (Read)	Reads local files or directories	Must disclose which paths/patterns are accessed and why
Filesystem (Write)	Creates, modifies, or deletes local files	Must disclose what is written, where, and why
Shell	Executes shell commands or spawns processes	Must disclose what commands are run and why
Network	Makes outbound HTTP/API requests or connects to external services	Must disclose all external endpoints, the data transmitted, and why
Browser/Session	Accesses browser sessions, cookies, or web automation	Must disclose what browser actions are taken and what data is accessed
Database	Connects to or queries databases	Must disclose what databases, what queries, and what data is accessed
Admin/Production	Requires elevated or production-level access to infrastructure	Requires enhanced moderation review before publication

Disclosure rules

Sellers must accurately declare the highest privilege level required by their Skill Bundle
Undisclosed privilege escalation (a Skill requesting access beyond what is declared) is a policy violation
Skills at the Shell, Network, Browser/Session, Database, or Admin/Production level are subject to enhanced moderation review
Skills must not modify the configuration of other installed Skills, the host agent, or the agent runtime without explicit disclosure and Buyer consent

Persistence and auto-update rules

Skills must not add themselves to agent autostart, scheduled tasks, or system startup without clear disclosure
Skills must not modify the host agent's configuration, other Skills' settings, or runtime behavior without explicit Buyer consent
Auto-update mechanisms that download new code must be disclosed in the Listing and require Buyer opt-in

7. Rules for Seller Submissions

Every Listing submitted to the Marketplace must meet the following requirements before publication. Sellers bear primary responsibility for the legality, accuracy, and safety of their content, consistent with the intermediary marketplace model described in Section 6 of the Terms of Service.

Rights and authorization. Sellers must own or control the rights needed to publish the Skill Bundle and all associated Listing materials, including screenshots, documentation, prompts, and branding. Where the Skill Bundle includes Third-Party Materials or Open-Source Components, the Seller must comply with the applicable license terms and list all such components with their respective licenses in the Skill Bundle's Manifest. See the Seller Terms for detailed obligations regarding intellectual property representations.

Truthful disclosure. Sellers must disclose material compatibility limits, prerequisites, risk factors, and paid dependencies. They must accurately declare the Skill's privilege level per Section 6 of this policy and disclose all external endpoints and services the Skill connects to. Sellers must not hide dangerous or undisclosed behavior in scripts, manifests, prompts, or instructions — what the Skill actually does must match what the Listing says it does.

Prohibited inclusions. Sellers must not include third-party secrets, customer data, or internal company material without proper authorization. They must not embed live credentials, production configurations, or personal data in any part of the Skill Bundle or Listing (see Section 8).

Identity and affiliation. Sellers must not misrepresent their authorship, professional affiliation, certifications, or any form of Marketplace endorsement. Claiming official partnership with or endorsement by the Operator without authorization is a policy violation.

Licensing. All Listings must comply with the standard Buyer License or an approved custom license path, as described in the Seller Terms.

The Marketplace may request clarification, supporting evidence, or package changes before approving any Listing. Listings that do not meet these requirements may be held from publication, returned for revision, or removed after publication if issues are discovered later.

8. Security, Secrets, and Sensitive Data

Because Skill Bundles are operational artifacts that may be installed into sensitive environments, the Marketplace enforces strict rules around credentials, secrets, and personal data. These rules apply to all parts of a Listing and Skill Bundle, including code, configuration files, documentation, screenshots, prompts, sample data, and installation instructions.

Credentials and secrets. Sellers must not upload live credentials, private keys, .env files, customer data exports, or production configuration files. Tokens, API keys, and secrets must not be embedded in any part of the Skill Bundle or Listing materials — including in sample configurations, documentation examples, or screenshots. If a Skill Bundle requires the Buyer to provide their own credentials, the Listing must explain this requirement clearly and the Skill must handle those credentials securely (e.g., reading from environment variables rather than hardcoded values).

Personal data. Sellers must not bundle personal data of third parties (names, email addresses, phone numbers, behavioral data, or other personally identifiable information) obtained without the data subjects' consent or another valid legal basis. This prohibition applies regardless of whether the data was obtained through scraping, data purchases, leaked databases, or any other means. See also Section 4.6 (Unauthorized Data and Privacy Violations) and the Privacy Policy.

Security controls. Sellers must not instruct Buyers to disable security controls, antivirus software, firewall rules, or agent sandboxing without strong justification that is clearly disclosed in the Listing before purchase. Any instruction to weaken a Buyer's security posture must be accompanied by a specific explanation of why it is necessary and what risks it introduces.

Marketplace scanning and enforcement. The Marketplace reserves the right to scan, quarantine, reject, or remove content that appears to contain secrets, unsafe code patterns, or embedded credentials. Detected secrets trigger an immediate review under the urgent triage timeline described in Section 10 (within 4 hours during business hours). The Marketplace may also implement automated scanning for known malware signatures, suspicious URLs, and credential patterns as part of the Listing review process.

9. Reporting Violations

How to report

Email: [email protected]
Telegram: t.me/latand
Security vulnerabilities: [email protected] — mark subject as URGENT - SECURITY

What to include in a report

Your name and contact information
The Listing ID, URL, or Seller handle of the content in question
A description of the violation and the policy section you believe is violated
Supporting evidence (screenshots, logs, links, or technical details)
Whether the issue is urgent (active harm, credential exposure, malware)

IP and impersonation complaints

For intellectual property infringement, trademark misuse, or impersonation complaints, follow the structured notice process in the IP/Takedown Policy.

Response timing

Action	Target
Acknowledgement of receipt	1 business day
Urgent triage (malware, secrets, active harm)	4 hours (business hours)
Ordinary review	5–10 business days

These targets are consistent with the IP/Takedown Policy response times.

10. Enforcement Framework

Severity levels

Violations are classified into four severity levels. The severity determines the speed of response and the range of enforcement actions.

Severity	Description	Response time	Examples
Critical	Active harm, security threat, or clear illegality	Immediate action (within 4 hours during business hours)	Malware, credential theft, supply-chain attacks, prompt injection, leaked secrets, sanctions violations
High	Significant risk of harm, deception, or rights violation	Action within 1–3 business days	IP infringement, deepfake/fraud tools, deceptive listings, unauthorized data exposure, AI safety bypass
Medium	Policy violation with limited immediate harm	Action within 5–10 business days	Third-party ToS violations, discriminatory AI tools, undisclosed privilege escalation, incomplete disclosures
Low	Minor or technical policy non-compliance	Notice to cure within 10 business days	Minor metadata issues, incomplete Manifests, missing attribution for properly licensed content

Enforcement actions

Based on severity and context, we may take one or more of the following actions:

Action	When used
Notice to cure	Low/Medium severity — Seller is given an opportunity to fix the issue within a specified period
Listing edit request	The Listing needs specific changes (disclosure additions, metadata corrections) before it can remain published
Listing unlisting	The Listing is removed from search and browse but the Seller can still access it for editing
Listing removal	The Listing and its Delivery endpoints are fully disabled
Download suspension	Delivery is disabled while the Listing remains visible with a notice
Seller warning	A formal warning is recorded on the Seller's account
Publishing restriction	The Seller cannot publish new Listings until the issue is resolved
Account suspension	Temporary suspension of all Seller access
Account termination	Permanent removal of the Seller from the Marketplace
Evidence preservation	Logs, package archives, and Listing snapshots are preserved per the evidence retention rules in the IP/Takedown Policy, Section 7
External cooperation	Cooperation with platform providers, hosting providers, rights holders, or legal authorities as required

Escalation

Critical-severity violations may be escalated to the security team immediately, without waiting for a moderation review cycle
Repeat violations result in escalating enforcement (warning → restriction → suspension → termination)
Catch-all enforcement (Section 4.13) requires review by at least two team members before action is taken

Evidence preservation

Evidence preservation for enforcement actions follows the same rules defined in the IP/Takedown Policy, Section 7:

Preserved artifacts: original package archive, Listing snapshot, correspondence, access logs, moderation records, and change history
Retention period: 3 years after final resolution
Integrity handling: hashing and access logging for cases that may escalate to litigation; timestamped snapshots for routine cases

11. Appeals

Sellers and Users who receive enforcement action under this policy may appeal.

How to appeal

Send an appeal to [email protected] with:

The Listing ID or account affected
The enforcement action you are contesting
A specific explanation of why you believe the action was incorrect
Supporting evidence

Appeal timeline

Appeals must be submitted within 10 business days of receiving notice of the enforcement action
We will respond within 5 business days
These deadlines are consistent with the IP/Takedown Policy counter-notice deadlines

DSA compliance (EU Users)

For EU Users, the appeal process is mandatory under DSA Article 20:

Appeals are free of charge
Available for at least 6 months after the decision
We provide a statement of reasons for each enforcement decision, including the legal or contractual ground, relevant facts, and information about redress options
We inform affected parties about certified out-of-court dispute settlement bodies (DSA Article 21)

Limitations

Appeals may be denied where the violation involved Critical-severity content (malware, credential theft, active security threats) and the safety concern remains unresolved. In such cases, we will explain our reasoning.

12. Relationship to Other Policies

Policy	Relationship
Terms of Service	AUP violations may constitute a breach of the Terms. Account termination is governed by the Terms.
Seller Terms	Sellers agree to comply with this policy. The disclosure requirements in Section 6 supplement the Seller Terms obligations.
IP/Takedown Policy	IP violations (Section 4.7) follow the complaint and counter-notice process in the IP/Takedown Policy. Severity levels, appeal deadlines, and evidence preservation rules are aligned across both documents.
Buyer License	Buyer misuse (Section 5) may also violate the Buyer License terms.
Privacy Policy	Violations involving personal data (Section 4.6, Section 8) may engage privacy obligations. Evidence retention exceptions are disclosed in the Privacy Policy.
Refund Policy	If a Listing is removed for AUP violations, refund eligibility for affected Buyers is governed by the Refund Policy.

13. Policy Updates

This policy may be updated as the Marketplace evolves and as new abuse patterns, regulatory requirements, or platform capabilities emerge. The current version date is shown at the top of this document. When we make material changes — such as adding new prohibited content categories, changing severity classifications, or modifying the enforcement framework — we will communicate those changes through the Website, Telegram Bot, or Seller account notification channels where feasible. We aim to provide reasonable advance notice of material changes, but reserve the right to make immediate changes where necessary to address urgent safety, security, or legal requirements. Continued use of the Marketplace after changes are published constitutes acceptance of the updated policy.

Contact

For abuse reports: [email protected] For general inquiries: [email protected] For legal correspondence: [email protected] Telegram: t.me/latand

*Last updated: 2026-03-14*