Scan a GitHub Skill Free
Paste any GitHub repository URL. We'll fetch the skill, run the static analyzer, and report every finding. No account required.
What the scanner checks
Prompt injection
Hidden instructions, <IMPORTANT> tags, and stealth directives embedded in SKILL.md that hijack your agent.
Credential theft
References to ~/.ssh, .aws/credentials, env-var exfiltration, and token-stealing patterns.
Dangerous commands
Arbitrary shell execution, curl | sh patterns, obfuscated payloads, and network exfiltration.
Supply-chain risks
Bill of materials of every capability the skill requests. Tree hash cryptographically pins what you scanned.
One scan is just the start
Create a free account to save skills privately, get dual-side verification on shared skills, and scan every version you install.