Caterpillar

Alice Caterpillar is a CLI-based security scanner designed to analyze AI agent skills (also referred to as AI coding assistant plugins or rules) for security threats before they are installed or used in a development environment. The tool scans skill files and directories, identifying a range of security issues across multiple categories: - Dangerous Permissions: Skills requesting excessive permissions beyond their stated functionality - Privacy Violations: Skills that collect personal information or track user activity without consent - Data Exfiltration: Skills that transmit sensitive data (source code, config files, database contents) to unauthorized external destinations - Obfuscation: Skills using encoded commands or intentionally confusing logic to hide true functionality - Social Engineering: Skills using deceptive UI elements, fake alerts, or manipulation to extract information - Supply Chain: Skills that tamper with package management, modify dependencies, or inject code into build processes - Credential Theft: Skills attempting to access or steal API keys, SSH keys, passwords, or authentication tokens - Network Attacks: Skills performing malicious network operations such as C2 communication or port scanning Caterpillar assigns letter grades (A through F) and severity levels to scanned skills, allowing users to make informed decisions about whether to keep, fix, or reject a skill. It is distributed as a free, open-source tool installable via curl or npm, and requires no API key to operate. It is intended for use by individual developers, security teams, DevOps engineers, and engineering managers. Supported skill types include Claude Skills, Cursor Rules, and MCP configs.