100% 免费 · 无需注册 · 无速率限制

SkillsSafe

AI 技能安全扫描器

安装 AI 技能前,扫描 SKILL.md 文件、MCP 配置、system_prompt 是否存在安全威胁。检测凭证窃取、数据外传、Shell 注入和隐藏 Unicode 字符。

支持平台:OpenClawClaude CodeCursorCodex
🔒 隐私模式 — 内容不离开您的浏览器

20+ Detection Rules

Credential theft, reverse shells, prompt injection & more

< 100ms

Client-side scanning in your browser, instant results

EN / 中文 / 日本語

The only trilingual AI skill scanner

Free MCP Server

One-line setup for OpenClaw and any MCP-compatible agent

免费 · 60 次/小时 · 无需 API Key

原生支持 OpenClaw

让你的 Agent 在安装技能前自动检查安全性

一行命令接入 OpenClaw:

bash
openclaw mcp add skillssafe https://skillssafe.com/api/mcp

或手动添加到 MCP 配置:

mcp_config.json
{
  "mcpServers": {
    "skillssafe": {
      "url": "https://skillssafe.com/api/mcp"
    }
  }
}

可用 MCP 工具:

  • scan_skill({ url }) — 通过 URL 扫描技能
  • scan_skill({ content }) — 直接传入内容扫描
  • get_report({ scan_id }) — 获取完整报告

Agent 对话示例:

You:
帮我安装 code-review-helper 技能
Agent:
正在通过 SkillsSafe 扫描安全性...
⚠️ BLOCK: 检测到 3 个严重威胁 • 凭证窃取 (SS-001) • 数据外传 (SS-010) • 提示注入 (SS-030) → https://skillssafe.com/report/ss_a3f8c901
Agent:
建议:不要安装此技能,存在严重安全风险。

同样支持:

OpenClaw ✓Claude CodeCursorCodexAny MCP Agent

About SkillsSafe

SkillsSafe is a free AI agent skill security scanner that helps developers and AI users verify the safety of third-party skill files before installation. SkillsSafe provides instant analysis of SKILL.md files, MCP tool configurations, and system_prompt strings used by AI agents such as OpenClaw, Claude Code, Cursor, and Codex.

SkillsSafe detects over 20 threat categories including credential theft, data exfiltration, prompt injection, reverse shells, and hidden zero-width Unicode characters. The scanner runs entirely in your browser in under 100ms — no data is sent to external servers. SkillsSafe also provides a free REST API (200 req/hour) and a free MCP Server (60 req/hour) for programmatic and agent access. No signup or API key is required.

Frequently Asked Questions

What is SkillsSafe?
SkillsSafe is a free, no-signup security scanner for AI agent skill files. It analyzes SKILL.md files, MCP tool configurations, and system_prompt strings to detect malicious patterns before you install them into your AI agent.
What security threats does SkillsSafe detect?
SkillsSafe detects 20+ threat categories including: credential theft (reading SSH keys, .env files, API tokens), data exfiltration (sending data to external webhooks), prompt injection (hidden instructions overriding your intent), reverse shells, zero-width Unicode characters, ClawHavoc malware indicators, memory poisoning, and scope creep.
Is SkillsSafe free to use?
Yes. SkillsSafe is completely free with no signup required. The web scanner has unlimited use. The REST API allows 200 requests/hour per IP. The MCP Server allows 60 requests/hour per IP. There are no paid tiers.
How do I use SkillsSafe with OpenClaw?
Run one command: openclaw mcp add skillssafe https://skillssafe.com/api/mcp — then ask your agent to scan any skill before installing it. The agent will call the scan_skill MCP tool automatically.
Does SkillsSafe store or log my skill files?
No. When using the web scanner, your content is analyzed entirely in your browser — nothing is sent to our servers. When using the REST API or MCP Server, content is processed in memory and not persisted. Scan reports are stored for 30 days by scan ID only.
What file formats does SkillsSafe support?
SkillsSafe scans .md, .txt, .json, .yaml, .yml, .toml files, and .zip archives (up to 500KB). You can paste content directly, provide a URL, or upload a file. GitHub blob URLs are automatically converted to raw format.
Which AI agents and platforms does SkillsSafe support?
SkillsSafe supports OpenClaw, Claude Code, Cursor, Codex, and any MCP-compatible AI agent. The REST API can be called from any programming language or automation tool.