githubinferredactive
skillscan-security
provenance:github:kurtpayne/skillscan-security
WHAT THIS AGENT DOES
Skillscan-security is a tool that automatically checks AI skills (like those used with chatbots) for potential security risks *before* they're used. It helps prevent dangerous instructions or hidden code from being accidentally sent to online AI platforms, which can save money and protect sensitive information. Businesses developing and using AI skills, especially those with large teams and frequent updates, will find this tool valuable for ensuring their AI systems are secure.
README
[](https://github.com/kurtpayne/skillscan-security/actions/workflows/ci.yml) [](https://github.com/kurtpayne/skillscan-security/actions/workflows/codeql.yml) [](https://pypi.org/project/skillscan-security/) [](https://hub.docker.com/r/kurtpayne/skillscan-security) [](LICENSE) [](pyproject.toml) **Free. Private. Offline. No API key required.** Security scanner for AI agent skills and MCP tool bundles. Part of the [SkillScan](https://skillscan.sh) project. SkillScan Security catches the obvious stuff so you don't have to pay Claude to find it. It runs entirely on your machine — no network calls, no telemetry, no tokens spent — and returns deterministic verdicts before you ever send a skill to an online scanner. Use it as a free pre-filter in your CI pipeline. If it blocks, you know immediately. If it passes, you've already eliminated the easy wins before handing off to a deeper (and more expensive) analysis layer. Verdicts: `allow` · `warn` · `block` Default policy: `strict`. --- ## Why SkillScan First Online AI scanners (Invariant, Lakera Guard, and others) are excellent at nuanced intent analysis. They are also billed per token. Running them on every skill in a large repository is expensive. SkillScan handles the deterministic layer for free: - Download-and-execute chains - Secret exfiltration patterns - Credential harvesting instructions - Malicious binary artifacts - Known-bad IOC domains and IPs - Vulnerable dependency versions - Prompt injection and instruction override attempts - Social engineering credential requests If SkillScan blocks it, you don't need to spend tokens on it. If it passes, you have a clean bill of health on the obvious vectors before your paid scanner runs. --- ## Features 1. **Offline-first.** No network calls required. Runs entirely on your machine. 2. Archive-safe extraction and static analysis. 3. Binary artifact classification and flagging (executables, libraries, bytecode, blobs). 4. Malware and instruction-abuse pattern detection (121 static rules + 17 multilang rules, 15 chain rules). 5. Instruction hardening pipeline (Unicode normalization, zero-width stripping, bounded base64 decode, action-chain checks). 6. IOC extraction with local intel matching (163 domains, 1,310 IPs, 2 CIDRs — updated twice daily). 7. Dependency vulnerability checks (23 Python + 4 npm packages via OSV.dev). 8. Social engineering and credential-harvest instruction detection (SE-001, SE-SEM-001). 9. Policy profiles (`strict`, `balanced`, `permissive`) + custom policies. 10. Pretty terminal output + JSON / SARIF / JUnit / compact reports. 11. Auto-refresh managed intel feeds (default checks every scan, 1-hour max age). 12. Versioned YAML rulepack for flexible detection updates. 13. Adversarial regression corpus with expected verdicts. 14. Default-on local semantic prompt-injection classifier (NLTK/classical features, no external API). 15. Optional offline ML detection (`--ml-detect`) using a fine-tuned DeBERTa adapter — no API key, no cloud. --- ## Distribution Status - PyPI: `pip install skillscan-security` - Docker: `docker pull kurtpayne/skillscan-security` - Pre-commit hook: `skillscan-security>=0.8.0` Release process: `docs/RELEASE_CHECKLIST.md`. SBOMs: Python CycloneDX (`sbom-python.cdx.json`) and Docker SPDX (`sbom-docker.spdx.json`) are included in release artifacts. Docker default behavior: the image includes ClamAV and enables it by default (`SKILLSCAN_CLAMAV=true`). Override with `--no-clamav`. --- ## Install ### Option A: convenience installer ```bash curl -fsSL https://raw.githubusercontent.com/kurtpayne/skillscan/main/scripts/install.sh | bash ``` ### Option B: pip ```bash pip install skillscan-security ``` **Base install is ~25 MB.** No torch, no transformers, no heavy ML stack. The `--ml-detect` flag requires an optional extra: ```bash # CPU-only ONNX inference (~200 MB) — recommended for most users pip install 'skillscan-security[ml-onnx]' # Full PyTorch backend (~500 MB) — for GPU environments pip install 'skillscan-security[ml]' ``` ### Option C: local/dev install ```bash python3 -m venv .venv source .venv/bin/activate pip install -e '.[dev]' ``` --- ## Quick Start ```bash skillscan scan ./examples/suspicious_skill ``` Scan directly from URL (including GitHub blob URLs): ```bash skillscan scan "https://github.com/blader/humanizer/blob/main/SKILL.md?plain=1" ``` Save reports: ```bash # JSON skillscan scan ./target --format json --out report.json --fail-on never # SARIF (GitHub code scanning) skillscan scan ./target --format sarif --out skillscan.sarif --fail-on never # JUnit XML (CI test report ingestion) skillscan scan ./target --format junit --out skillscan-junit.xml --fail-on never # Compact (terse CI logs) skillscan scan ./target --format compact --fail-on never ``` Render a saved report: ```bash skillscan explain ./report.json ``` Optional offline ML detection (requires `[ml-onnx]` or `[ml]` extra): ```bash skillscan scan ./target --ml-detect ``` The ML detector uses a fine-tuned DeBERTa adapter. It runs entirely on your machine — no API calls, no tokens, no cloud. It is the right tool for subtle semantic attacks that the static rules don't catch. For nuanced intent analysis that requires reasoning about context, see the [integration bridges](#integration-bridges) below. --- ## Highlighted Examples ### 1. Download-and-execute chain (critical) ```console $ skillscan scan examples/showcase/01_download_execute --fail-on never ╭─────────────────────────────── Verdict: BLOCK ───────────────────────────────╮ │ Target: examples/showcase/01_download_execute │ │ Policy: strict │ │ Score: 360 │ │ Findings: 2 │ ╰──────────────────────────────────────────────────────────────────────────────╯ Top Findings: - MAL-001 (critical) Download-and-execute chain - CHN-001 (critical) Dangerous action chain: download plus execute ``` ### 2. Secret exfiltration chain (critical) ```console $ skillscan scan examples/showcase/15_secret_network_chain --fail-on never ╭─────────────────────────────── Verdict: BLOCK ───────────────────────────────╮ │ Target: examples/showcase/15_secret_network_chain │ │ Policy: strict │ │ Score: 285 │ │ Findings: 2 │ ╰──────────────────────────────────────────────────────────────────────────────╯ Top Findings: - EXF-001 (high) Sensitive credential file access - CHN-002 (critical) Potential secret exfiltration chain ``` ### 3. Social engineering credential harvest (critical) ```console $ skillscan scan examples/showcase/20_social_engineering_credential_harvest --fail-on never ╭─────────────────────────────── Verdict: BLOCK ───────────────────────────────╮ │ Target: examples/showcase/20_social_engineering_credential_harvest │ │ Policy: strict │ │ Score: 95 │ │ Findings: 2 │ ╰──────────────────────────────────────────────────────────────────────────────╯ Top Findings: - SE-001 [truncated…]
PUBLIC HISTORY
First discoveredMar 21, 2026
IDENTITY
inferred
Identity inferred from code signals. No PROVENANCE.yml found.
Is this yours? Claim it →METADATA
platformgithub
first seenFeb 8, 2026
last updatedMar 21, 2026
last crawled2 days ago
version—
README BADGE
Add to your README:
