What it is
skillsec.io is a security scanner for AI-agent skill files (commonly named SKILL.md). It runs an open, heuristic ruleset against the content of a skill and returns a score plus a list of findings. The whole thing runs in-memory, per request - there is no database, no signup, no API key, and no payment.
Free
No account, no quota, no upsell. Paste, scan, share.
Open ruleset
Every detection is in the source tree. Audit our audits.
Instant
No queue, no callback. One HTTP round-trip per scan.
Coverage
The scanner is content-agnostic. It reads any plaintext file an AI coding agent might obey, including:
- Claude Code
SKILL.mdfiles - Cursor
.cursorrulesand.cursor/rules/*.md - GitHub Copilot
.github/copilot-instructions.mdand.github/instructions/*.md - OpenAI Codex / GPT custom instructions
- Gemini CLI
GEMINI.mdand prompts - Aider
CONVENTIONS.md - Continue.dev configs and rules
- Any other plaintext system prompt or agent instruction
The detection rules check for things like curl | sh, secret-shaped env var reads, and prompt-injection phrases. None of them care which agent the file was written for, the threats are the same across the board.
How it differs from a manual audit
Manual security audits are useful and we can't replace them. They're also expensive, slow, and opaque - a human-priced review by a security firm doesn't scale to the number of skills now being published every week. skillsec is the opposite trade-off:
| Manual audit | skillsec.io | |
|---|---|---|
| Turnaround | days–weeks | seconds |
| Cost | $$$ | free |
| Reproducible | depends on reviewer | deterministic |
| Transparent | report, not method | every rule is open |
| Depth | deep, contextual | heuristic, surface-level |
| Coverage at scale | bounded by humans | bounded by compute |
Use skillsec to triage and gatekeep. Use a manual audit for anything you'd trust with elevated privileges or a real user's data.
Open by default
We publish the threat model - every category we evaluate, the severity it can produce, and the scoring weights - on the methodology page. We do not publish the exact patterns: that would hand attackers the cheat sheet for evading the scanner. The source lives in the GitHub repository; if you think a category is missing or wrong, file an issue.
What we don't do
- We don't store the content you scan. We don't log it. We don't train on it.
- We don't require an account. There is no account.
- We don't guarantee correctness. Heuristic detectors are wrong sometimes - both false-positive and false-negative.
- We don't replace a human security review. Treat a clean skillsec score as a smoke test, not a clearance.