Security scanner · agent skills

Scan a skill before your agent runs it.

SkillSpector inspects AI agent skills for vulnerabilities, malicious patterns, and security risks, so an untrusted SKILL file never executes unchecked.

skillspector scan ./skill See the rules →

scan — agent-skill

# inspect a skill before install
$ skillspector scan ./suspicious-skill

HIGHexfil: outbound POST to unknown host

HIGHshell: unscoped rm on $HOME

LOWprompt: hidden instruction override

PASSmanifest signature valid

3 findings · 2 high · illustrative output

// what it looks for

[vuln]

Vulnerabilities

Known-risky calls, unsafe file and network access buried in a skill's code.

[mal]

Malicious patterns

Exfiltration, destructive shell, and obfuscation signatures flagged before they run.

[inj]

Prompt risks

Hidden instruction overrides and injection bait inside skill text.