Free, no-signup security scanner for AI agent skills.
Scan any SKILL.md, MCP config, or system_prompt for threats before installing.
π skillssafe.com
As AI agents become more powerful, malicious skills can steal credentials, exfiltrate data, or hijack your agent's behavior. SkillsSafe scans skill files before you install them β the same way an antivirus scans software before you run it.
Supported platforms: OpenClaw Β· Claude Code Β· Cursor Β· Codex Β· any MCP-compatible agent
Paste content, enter a URL, or upload a file to scan for:
| Threat | Description |
|---|---|
| Credential Theft | Attempts to access API keys, tokens, or passwords |
| Data Exfiltration | Skills that send your data to external servers |
| Prompt Injection | Hidden instructions that hijack agent behavior |
| Shell Injection | Reverse shell or arbitrary command execution |
| Zero-Width Characters | Invisible Unicode characters hiding malicious instructions |
| Scope Creep | Skills requesting permissions beyond their stated purpose |
| Memory Poisoning | Attempts to corrupt agent memory or context |
| Privacy Risk | Unnecessary access to personal or sensitive data |
Each scan returns a risk score, severity rating (SAFE / CAUTION / DANGER / CRITICAL), and a shareable report link.
Visualize invisible Unicode characters (U+200B, U+200C, U+200D, U+FEFF, etc.) hidden inside text. Attackers embed these to create prompts that look safe to humans but carry hidden instructions for AI agents.
Native Model Context Protocol support β let your agent automatically check skill safety before installation. No API key required.
# OpenClaw (one-line setup)
openclaw mcp add https://skillssafe.com/api/mcpAvailable MCP tools:
scan_urlβ Scan a skill by URLscan_contentβ Scan skill content directlyget_reportβ Retrieve a full scan report
Works with any agent, script, or CI/CD pipeline.
# Scan by URL
curl -X POST https://skillssafe.com/api/v1/scan/url \
-H "Content-Type: application/json" \
-d '{"url": "https://clawhub.ai/skills/example"}'
# Scan by content
curl -X POST https://skillssafe.com/api/v1/scan/content \
-H "Content-Type: application/json" \
-d '{"content": "...skill content..."}'Full OpenAPI spec: https://skillssafe.com/api/v1/openapi.json
| Route | Description |
|---|---|
/ |
Main security scanner |
/zero-width-detector |
Hidden Unicode character detector |
/api-docs |
Interactive API documentation |
/integrate |
Integration guide for MCP & REST API |
/feedback |
Bug reports and feature requests |
npm install
npm run devOpen http://localhost:3000 in your browser.
# .env.local
# (see wrangler.toml for Cloudflare Workers configuration)- Framework: Next.js (App Router)
- Deployment: Cloudflare Workers via
@opennextjs/cloudflare - Database: Cloudflare D1 (SQLite)
- i18n: next-intl (English Β· δΈζ Β· ζ₯ζ¬θͺ)
100% Free Β· No Signup Β· No Rate Limits for Humans
API rate limit: 60 requests/hour (no API key required).
Found a bug or false positive? Send feedback or email support@skillssafe.com.
SkillsSafe is an independent security tool, not affiliated with Anthropic, OpenClaw, or Cisco.