As AI agent ecosystems grow, the risks of “malicious skills” increase. The Skill Safety Scanner is a developer-centric security tool designed to audit SKILL.md files for risky instructions, hidden behaviors, and potential prompt injections before you integrate them into your environment.
The scanner performs a deep static analysis of skill definitions to identify high-risk patterns that could compromise your system. It flags specific categories of concern including:
- Unauthorized Exfiltration: Detects suspicious data transfer or network instructions.
- Privilege Escalation: Identities broad local file access and shell execution requests.
- Hidden Behaviors: Surfaces obfuscated hints, persistence mechanisms, and unbounded autonomy.
- Social Engineering: Flags prompt injection wording and credential harvesting attempts.
Unlike basic keyword searching, this skill understands the context of agent instructions. It provides a structured safety report (Terminal, JSON, or Markdown) that allows you to automate security gates in your CI/CD pipeline or manually vet third-party skills with confidence. Crucially, it runs entirely locally with zero network calls, ensuring your proprietary code and skill definitions never leave your machine.