SkillScan

SkillScan is a security scanning and verification service for AI agent tools, including MCP (Model Context Protocol) servers, LangChain tools, and OpenAI plugins. It accepts GitHub repositories or submitted code and performs automated security analysis to identify vulnerabilities and unsafe patterns specific to AI agent ecosystems. The service analyzes submitted AI skills across the following attack vectors: - Prompt Injection: Detection of hidden instructions that could manipulate agent behavior - Data Exfiltration: Identification of unauthorized data leakage through tool responses - Code Execution: Detection of unsafe patterns such as eval, exec, or shell command usage - Supply Chain: Analysis of dependency vulnerabilities and potentially malicious packages - Auth & Secrets: Detection of hardcoded credentials and weak authentication implementations - Network Safety: Identification of SSRF, open redirects, and unsafe network request patterns Upon completion of a scan, verified tools receive a badge that can be embedded in a README file, and are listed in a public registry of audited AI skills. The service also tracks commit hashes and supports re-scanning when updates are made. SkillScan is currently in public beta and is offered at no cost, with no credit card required. It positions itself as an independent audit layer for the AI agent tool ecosystem, providing developers and users with a way to verify the security posture of AI skills before deployment or use.