Security scanner for AI agent skills and plugins. Reviews the code before you install it.
npx skillrx owner/repoThat's it. skillrx clones the repo, analyzes it, and gives you a verdict: TRUSTED, CAUTION, RISKY, or MALICIOUS.
- Claude Code skills and plugins
- Codex skills and plugins
- Skills for 40+ other agents (Cursor, Aider, Continue.dev, Vercel AI SDK, OpenAI Assistants, MCP, etc.)
If it ships as a skill or plugin, skillrx reads it.
Full repository — point skillrx at a repo (or local folder). It scans the whole tree you give it (respecting filters and limits).
Single skill in a monorepo — for big skills collections (for example anthropics/skills), use --skill <name> so only skills/<name> is fetched with a sparse checkout instead of cloning everything.
npx skillrx anthropics/skills --skill frontend-designFull repository |
Single skill (--skill) |
| Area | What it detects |
|---|---|
| Prompt injection | Attempts to hijack the agent's role or coerce its tools |
| Shadow features | What the README promises vs what the code actually does |
| Exfiltration | Odd endpoints, URL shorteners, hardcoded IPs, DNS exfil |
| Secrets | Exposed API keys, tokens, JWTs, private blocks |
| Dangerous permissions | Destructive shell, persistence, privilege escalation |
| Post-install scripts | npm lifecycle hooks, `curl |
Starts at 100. Each finding subtracts points based on severity:
- High: −25
- Medium: −10
- Low: −5
If a critical rule fires (hardcoded secrets, reverse shells, install-time curl | sh, severe prompt injection), the result jumps straight to MALICIOUS with score 0.
| Range | Verdict |
|---|---|
| 80–100 | TRUSTED |
| 50–79 | CAUTION |
| 0–49 | RISKY |
| Critical rule | MALICIOUS |
npx skillrx owner/repo --full # show every finding
npx skillrx owner/repo --json # JSON outputskillrx does not run npm install, node, or python against the repo. It only reads files and applies patterns. Pure static analysis, 100% offline (except for the initial clone).
MIT