skillsec.io
Realtime analysis to secure your AI use

Scan AI agent skills for hidden threats

Paste a SKILL.md, .cursorrules, or any agent instruction file, and get a verdict in seconds. We read what your coding agent is about to obey, prompt injection, credential theft, command injection, before it runs in your editor.

Dozens of detection patterns·Many threat categories·Works with 7+ AI coding agents
Works withClaude Code·Cursor·GitHub Copilot·OpenAI Codex·Gemini CLI·Aider·Continue.dev

We resolve SKILL.md from the default branch or the path you provide.

Runs in-memory · content never stored10s timeoutMax 1 MB
01 / What we catch

Eight categories. No regex on display.

We tell you what we look for. We do not publish the patterns themselves, that would just be a tutorial for the people writing the skills we are trying to catch.

Command Injection

Shell-out instructions, curl | sh patterns, eval'd inputs, and quietly-disabled safety prompts.

Credential Access

Reads of ~/.aws, .env, SSH keys, browser keychains, or anything that ships secrets out of the box.

Suspicious Network

Pipe-to-shell installs, reverse-shell signatures, and outbound HTTP to hosts off the allowlist.

Obfuscation

Base64-wrapped payloads, encoded blobs near decoders, zero-width text, hidden instructions.

Prompt Injection

Hidden instructions, role overrides, jailbreak strings, conditional payloads triggered by context.

Path Traversal

Multi-segment ../ paths, reads of /etc/passwd, /proc, and other privileged system files.

Unsafe Deserialization

Pickle, yaml.load, Marshal.load, PHP unserialize, and similar one-line RCE primitives.

Host Agent Credential Exfiltration

Reads of host-agent config (Claude, Cursor, Copilot) and provider API keys.

02 / How it works

Three steps. No account required.

The whole scanner is one HTTP request. Paste your skill, get a verdict, walk away. Nothing is written to disk on our side.

/ 01 . Paste

Drop in a skill

Paste the markdown, point at a GitHub blob, or give us a raw URL. We accept anything an agent would accept.

/ 02 . Parse

Read the way an agent would

We tokenize, decode obfuscation layers, and walk the document the way a coding agent would interpret instructions.

/ 03 . Verdict

Score with reasons

One risk number, every finding by severity, plus the quoted line of source so you can verify with your own eyes.

Example outputDemo
High risk
72/ 100 risk

Example score for a skill with prompt injection + credential access findings.

  • highCredential Accessline 14
  • highPrompt Injectionline 22
  • mediumSuspicious Networkline 31
03 / Why open

An open scanner you can use without asking for a meeting.

Most supply-chain security tools want a logo deal before they let you upload a file. We are going the other way: instant verdicts, no signup, public taxonomy, auditable runtime.

  • Free for everything humans paste. Rate-limited for everything robots paste.
  • Open methodology. Every detector category, severity rubric, and false-positive note is documented.
  • Stateless by design. Your skill content is parsed in-memory and discarded. No logs of file contents, ever.
 Manual auditsskillsec.io
Time to verdict2 to 5 days~ 800ms
Signup requiredSOC2, contractnone
Stores your skillyesno
Methodologyredactedpublic
Cost$$$ / seat$0