skillsec.io

Privacy

Last updated 2026-05-28

What we don't do

  • No accounts. There is no signup. We don't know who you are.
  • No cookies. We don't set any cookies. No session, no preferences, no consent banner needed.
  • No analytics. No Google Analytics, no Plausible, no Mixpanel, no Vercel Analytics. No third-party JavaScript runs in your browser from us.
  • No selling, sharing, or training. We don't sell data to third parties. We don't use your scan content to train models, ours or anyone else's.

What happens when you scan a skill

The skill content is parsed in memory by our scan API, evaluated against the heuristic ruleset, and discarded as soon as the response is returned. Nothing is written to disk on our infrastructure during a normal scan. Server logs are not enabled for the scan endpoint.

Share links

When you click Share this scan, the scan result (a JSON object containing the score, list of findings, and the skill's public metadata - name, description, license, lines, code blocks) is stored under a content-derived short hash in an Upstash Redis cache. This lets others view the same result by visiting /s/[hash].

  • The original skill content is not stored. Only the scan result.
  • For URL / GitHub scans, the resolved source URL is stored in the cached result so the share page can link back.
  • Entries expire automatically after 30 daysvia a Redis TTL. After that they're unrecoverable from our side.
  • Hashes are 8 hex characters - enough to make links un-guessable in practice but short enough to share. We don't index or enumerate them.

Data subject rights (GDPR)

Because we don't collect personal data, there's nothing to access, modify, or delete on your behalf. If you want a share link removed before its 30-day TTL, email hello@skillsec.io with the hash and we'll delete the cache entry.

Hosting

The site runs on Vercel (US/EU regions) and the share-link cache runs on Upstash Redis. Both providers see incidental request data (IP, user agent, timestamps) in their own infrastructure logs as part of normal operation; we don't access or correlate that.

Updates

This page is the source of truth. If we ever start collecting anything new, we'll say so here and update the date at the top.