SkillsSafe
AI Skill Security Scanner
Scan SKILL.md files, MCP configs, and system prompts for threats before installing. Detect credential theft, data exfiltration, shell injection, and hidden Unicode characters.
20+ Detection Rules
Credential theft, reverse shells, prompt injection & more
< 100ms
Client-side scanning in your browser, instant results
EN / 中文 / 日本語
The only trilingual AI skill scanner
Free MCP Server
One-line setup for OpenClaw and any MCP-compatible agent
OpenClaw Native Support
Let your agent automatically check skill safety before installation
Add to OpenClaw in one command:
openclaw mcp add skillssafe https://skillssafe.com/api/mcp
Or add manually to your MCP config:
{
"mcpServers": {
"skillssafe": {
"url": "https://skillssafe.com/api/mcp"
}
}
}Available MCP Tools:
- ▸
scan_skill({ url }) — Scan a skill by URL - ▸
scan_skill({ content }) — Scan skill content directly - ▸
get_report({ scan_id }) — Get full report
Example agent conversation:
Also supported:
About SkillsSafe
SkillsSafe is a free AI agent skill security scanner that helps developers and AI users verify the safety of third-party skill files before installation. SkillsSafe provides instant analysis of SKILL.md files, MCP tool configurations, and system_prompt strings used by AI agents such as OpenClaw, Claude Code, Cursor, and Codex.
SkillsSafe detects over 20 threat categories including credential theft, data exfiltration, prompt injection, reverse shells, and hidden zero-width Unicode characters. The scanner runs entirely in your browser in under 100ms — no data is sent to external servers. SkillsSafe also provides a free REST API (200 req/hour) and a free MCP Server (60 req/hour) for programmatic and agent access. No signup or API key is required.
Frequently Asked Questions
- What is SkillsSafe?
- SkillsSafe is a free, no-signup security scanner for AI agent skill files. It analyzes SKILL.md files, MCP tool configurations, and system_prompt strings to detect malicious patterns before you install them into your AI agent.
- What security threats does SkillsSafe detect?
- SkillsSafe detects 20+ threat categories including: credential theft (reading SSH keys, .env files, API tokens), data exfiltration (sending data to external webhooks), prompt injection (hidden instructions overriding your intent), reverse shells, zero-width Unicode characters, ClawHavoc malware indicators, memory poisoning, and scope creep.
- Is SkillsSafe free to use?
- Yes. SkillsSafe is completely free with no signup required. The web scanner has unlimited use. The REST API allows 200 requests/hour per IP. The MCP Server allows 60 requests/hour per IP. There are no paid tiers.
- How do I use SkillsSafe with OpenClaw?
- Run one command: openclaw mcp add skillssafe https://skillssafe.com/api/mcp — then ask your agent to scan any skill before installing it. The agent will call the scan_skill MCP tool automatically.
- Does SkillsSafe store or log my skill files?
- No. When using the web scanner, your content is analyzed entirely in your browser — nothing is sent to our servers. When using the REST API or MCP Server, content is processed in memory and not persisted. Scan reports are stored for 30 days by scan ID only.
- What file formats does SkillsSafe support?
- SkillsSafe scans .md, .txt, .json, .yaml, .yml, .toml files, and .zip archives (up to 500KB). You can paste content directly, provide a URL, or upload a file. GitHub blob URLs are automatically converted to raw format.
- Which AI agents and platforms does SkillsSafe support?
- SkillsSafe supports OpenClaw, Claude Code, Cursor, Codex, and any MCP-compatible AI agent. The REST API can be called from any programming language or automation tool.