Skills Audit

Security scanner that audits AI agent skill files before installation. Detects credential theft, data exfiltration, dangerous commands, and obfuscation using pattern matching. Everything runs locally — no data leaves your machine.

When to Use

Before installing any new skill or MCP server, scan it first. This catches embedded secrets, reverse shells, data exfiltration endpoints, obfuscated payloads, and other threats that hide in skill files.

How to Run

Three input modes:

Scan a local file

python scripts/scan.py --file /path/to/SKILL.md

Fetch and scan a remote skill by URL