扫码联系在线客服Skill Security Scanner
Scan skills for malicious patterns before installation. Detects credential exfiltration, suspicious network calls, obfuscated code, prompt injection, and other red flags.
Quick Start
# Scan a local skill folder
python3 scripts/scan.py /path/to/skill
# Verbose output (show matched lines)
python3 scripts/scan.py /path/to/skill --verbose
# JSON output (for automation)
python3 scripts/scan.py /path/to/skill --json
Workflow: Scan Before Install
- Download or locate the skill folder
- Run
python3 scripts/scan.py <skill-path> --verbose - Review findings by severity (CRITICAL/HIGH = do not install)
- Report results to user with recommendation
Score Interpretation
| Score | Meaning | Recommendation | |-------|---------|----------------| | CLEAN | No issues found | Safe to install | | INFO | Minor notes only | Safe to install | | REVIEW | Medium-severity findings | Review manually before installing | | SUSPICIOUS | High-severity findings | Do NOT install without thorough manual review | | DANGEROUS | Critical findings detected | Do NOT install — likely malicious |
Exit Codes
0= CLEAN/INFO1= REVIEW2= SUSPICIOUS3= DANGEROUS
Rules Reference
See references/rules.md for full list of detection rules, severity levels, and whitelisted domains.
Limitations
- Pattern-based detection — cannot catch all obfuscation techniques
- No runtime analysis — only static scanning
- False positives possible for legitimate tools that access network/files
- Always combine with manual review for HIGH/MEDIUM findings