Skillaudit

Created By

megamind-0xa month ago

Security scanner for AI agent skills. Detects credential theft, data exfiltration, prompt injection, reverse shells, dangerous capability combos, and hardcoded secrets. 14 rules, 80+ patterns, 22 secret detectors. Free API + CLI (npx skillaudit). Built by an AI agent.

# security

# scanning

Overview Content Tools Comments

Overview

🛡️ SkillAudit

The security layer for AI agent skills. Scan, gate, and enforce policy before your agent installs anything.

32 detection rules · 289 patterns · MCP + A2A coverage · Zero dependencies

# Gate check — should my agent install this?
npx skillaudit gate https://example.com/SKILL.md

# Full scan
npx skillaudit https://example.com/SKILL.md

# Scan MCP manifest for schema poisoning
npx skillaudit manifest tools.json

Why SkillAudit?

AI agents install tools, skills, and MCP servers from untrusted sources. Those skills can steal credentials, exfiltrate data, inject prompts, or manipulate other agents — and most of this is invisible to the user.

SkillAudit catches it. One API call before install. That's it.

Quick Start

1. Gate Check (one line)

The infrastructure endpoint. Returns allow/deny.

curl "https://skillaudit.vercel.app/gate?url=https://example.com/SKILL.md"
# → {"allow": true, "decision": "allow", "risk": "clean", ...}

2. Full Scan

curl "https://skillaudit.vercel.app/scan/quick?url=https://example.com/SKILL.md"

3. Bulk Gate (check multiple skills at once)

curl -X POST https://skillaudit.vercel.app/gate/bulk \
  -H "Content-Type: application/json" \
  -d '{"urls": ["https://example.com/skill1.md", "https://example.com/skill2.md"]}'
# → {"allow": false, "denied": 1, "blocked": [...]}

4. Policy Enforcement

curl -X POST https://skillaudit.vercel.app/policy/evaluate-inline \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/SKILL.md",
    "policy": {"maxRisk": "low", "blockedCategories": ["credential_theft"]}
  }'

What It Detects

32 rule categories, 289 patterns:

Category	Rules	What it catches
🔑 Credential Theft	`CRED_ENV_READ`, `TOKEN_STEAL`	Reading .env, stealing tokens/cookies, accessing SSH keys
📤 Data Exfiltration	`DATA_EXFIL`, `EXFIL_PATTERN`, `EXFIL_COVERT`	Webhook.site, DNS exfil, covert channels, image beacons
💉 Prompt Injection	`PROMPT_INJECT`, `TOOL_POISONING`	"Ignore previous instructions", hidden system prompts
🧬 MCP Schema Poisoning	`MCP_SCHEMA_POISON`	Hidden instructions in MCP tool descriptions/schemas
🤖 A2A Attacks	`A2A_AGENT_IMPERSONATION`, `A2A_TASK_HIJACK`, `A2A_CROSS_AGENT_INJECT`, `A2A_DATA_LEAK`, `A2A_CAPABILITY_ABUSE`	Agent Card spoofing, task hijacking, cross-agent injection
🐚 Code Execution	`SHELL_EXEC`, `REVERSE_SHELL`	Shell commands, reverse shells, eval/Function
🔐 Hardcoded Secrets	22 detectors	AWS keys, GitHub tokens, JWTs, private keys, API keys
👻 Obfuscation	`OBFUSCATION`, `INVISIBLE_TEXT`	Base64 payloads, zero-width Unicode, encoded URLs
⏰ Evasion	`TIME_BOMB`	Date-triggered activation, delayed execution
🔗 Supply Chain	`SUPPLY_CHAIN`	Remote code loading, curl\|bash, dependency confusion
🌐 Network	`NET_SUSPICIOUS`, `SSRF_PATTERN`, `DNS_REBIND`	SSRF, raw IPs, DNS rebinding, metadata endpoints
📦 Container Escape	`CONTAINER_ESCAPE`	Docker socket, nsenter, /proc traversal, LD_PRELOAD
🔄 Persistence	`PERSISTENCE`	Cron injection, systemd, LaunchAgents, pm2, nohup
🕵️ Recon	`ENV_RECON`	os.hostname, whoami, network interfaces, environment dump
🔧 Agent Manipulation	`AGENT_MEMORY_MOD`, `TOOL_SHADOW`, `CROSS_TOOL_ACCESS`	Memory modification, tool shadowing, cross-tool data access
💰 Crypto Theft	`CRYPTO_THEFT`	Wallet files, seed phrases, MetaMask vaults

Smart context suppression: documentation examples and placeholder tokens are automatically suppressed to minimize false positives.

CLI

Zero install, zero config. Requires Node.js 18+.

# Scan a file, URL, or directory
npx skillaudit SKILL.md
npx skillaudit https://github.com/user/repo
npx skillaudit ./my-agent-project/

# Gate check (CI/CD: exit 0 = allow, exit 1 = deny)
npx skillaudit gate https://example.com/SKILL.md
npx skillaudit gate https://example.com/SKILL.md --threshold high

# Scan MCP manifest for schema poisoning
npx skillaudit manifest tools.json

# CI/CD integration
npx skillaudit SKILL.md --fail-on moderate          # Exit 1 if risk >= moderate
npx skillaudit SKILL.md --markdown >> "$GITHUB_STEP_SUMMARY"  # PR summary
npx skillaudit SKILL.md --json | jq .riskLevel      # Machine-readable

# MCP server mode
npx skillaudit --mcp

API Endpoints

Full interactive docs at skillaudit.vercel.app/docs

Gate (Infrastructure)

Endpoint	Description
`GET /gate?url=`	Pre-install gate — allow/warn/deny
`POST /gate/bulk`	Check multiple skills, one composite decision

Scanning

Endpoint	Description
`GET /scan/quick?url=`	Quick scan by URL
`POST /scan/content`	Scan raw content
`POST /scan/manifest`	Scan MCP tool manifest for schema poisoning
`GET /scan/agent-card?url=`	Scan A2A Agent Card
`GET /scan/npm?package=`	Scan npm package
`GET /scan/pypi?package=`	Scan PyPI package
`GET /scan/repo?repo=`	Scan GitHub repo
`POST /scan/deps`	Scan dependency tree
`POST /scan/batch`	Batch scan (up to 20 URLs)
`POST /scan/compare`	Diff two skill versions
`POST /scan/deep`	Deep scan with threat chains

Policy & Intelligence

Endpoint	Description
`POST /policy/evaluate-inline`	Evaluate against custom policy (no auth)
`POST /policy`	Create stored policy (API key)
`GET /reputation/:domain`	Domain trust score
`GET /feed`	Threat intelligence feed
`GET /badge/scan.svg?url=`	Embeddable SVG badge
`GET /certificate/:id`	Signed audit certificate

Results

Endpoint	Description
`GET /scan/:id`	Retrieve scan result
`GET /scan/:id/sarif`	SARIF v2.1.0 output
`GET /report/:id`	Shareable HTML report

Rate limit: 30 req/min per IP. Bypass with API key.

MCP Server

Use SkillAudit as a native tool in Claude Desktop, Cursor, or any MCP client:

{
  "mcpServers": {
    "skillaudit": {
      "command": "npx",
      "args": ["skillaudit", "--mcp"]
    }
  }
}

Tools: skillaudit_gate, skillaudit_scan, skillaudit_scan_content, skillaudit_reputation, skillaudit_batch

GitHub Action

name: SkillAudit
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx skillaudit . --fail-on high --markdown >> "$GITHUB_STEP_SUMMARY"

CI/CD Integration

# GitHub Actions — gate check before deploy
npx skillaudit gate "$SKILL_URL" --threshold moderate || exit 1

# Generate PR comment
npx skillaudit ./skills/ --markdown > scan-results.md

# Policy enforcement in pipeline
curl -sf -X POST https://skillaudit.vercel.app/policy/evaluate-inline \
  -H "Content-Type: application/json" \
  -d "{\"url\": \"$SKILL_URL\", \"policy\": {\"maxRisk\": \"low\"}}" \
  | jq -e '.pass == true'

Risk Levels

Level	Score	Meaning
🟢 `clean`	0	No issues found
🟡 `low`	1–9	Minor concerns, review recommended
🟠 `moderate`	10–24	Manual review required
🔴 `high`	25–49	Do NOT install without audit
⛔ `critical`	50+	Almost certainly malicious

Self-Hosted

git clone https://github.com/megamind-0x/skillaudit
cd skillaudit && npm install && npm start
# → http://localhost:3847

Built by Megamind_0x 🧠

Live App · API Docs · Dashboard · npm

Server Config

{
  "mcpServers": {
    "skillaudit": {
      "command": "npx",
      "args": [
        "skillaudit"
      ]
    }
  }
}

Recommend Servers

TraeBuild with Free GPT-4.1 & Claude 3.7. Fully MCP-Ready.

BlenderBlenderMCP connects Blender to Claude AI through the Model Context Protocol (MCP), allowing Claude to directly interact with and control Blender. This integration enables prompt assisted 3D modeling, scene creation, and manipulation.

Howtocook Mcp基于Anduin2017 / HowToCook （程序员在家做饭指南）的mcp server，帮你推荐菜谱、规划膳食，解决“今天吃什么“的世纪难题； Based on Anduin2017/HowToCook (Programmer's Guide to Cooking at Home), MCP Server helps you recommend recipes, plan meals, and solve the century old problem of "what to eat today"

MCP AdvisorMCP Advisor & Installation - Use the right MCP server for your needs

MiniMax MCPOfficial MiniMax Model Context Protocol (MCP) server that enables interaction with powerful Text to Speech, image generation and video generation APIs.

WindsurfThe new purpose-built IDE to harness magic

DeepChatYour AI Partner on Desktop

Visual Studio Code - Open Source ("Code - OSS")Visual Studio Code

Zhipu Web SearchZhipu Web Search MCP Server is a search engine specifically designed for large models. It integrates four search engines, allowing users to flexibly compare and switch between them. Building upon the web crawling and ranking capabilities of traditional search engines, it enhances intent recognition capabilities, returning results more suitable for large model processing (such as webpage titles, URLs, summaries, site names, site icons, etc.). This helps AI applications achieve "dynamic knowledge acquisition" and "precise scenario adaptation" capabilities.

Baidu Map百度地图核心API现已全面兼容MCP协议，是国内首家兼容MCP协议的地图服务商。

Playwright McpPlaywright MCP server

Y GuiA web-based graphical interface for AI chat interactions with support for multiple AI models and MCP (Model Context Protocol) servers.

Tavily Mcp

AiimagemultistyleA Model Context Protocol (MCP) server for image generation and manipulation using fal.ai's Stable Diffusion model.

EdgeOne Pages MCPAn MCP service designed for deploying HTML content to EdgeOne Pages and obtaining an accessible public URL.

Serper MCP ServerA Serper MCP Server

ChatWiseThe second fastest AI chatbot™

CursorThe AI Code Editor

RedisA Model Context Protocol server that provides access to Redis databases. This server enables LLMs to interact with Redis key-value stores through a set of standardized tools.

Jina AI MCP ToolsA Model Context Protocol (MCP) server that integrates with Jina AI Search Foundation APIs.

Amap Maps高德地图官方 MCP Server