Allows scanning of AI agent skill files hosted on GitHub for security threats, including credential theft, prompt injection, and malware indicators.
skillssafe-mcp
MCP server for β the security layer for AI agents.
Scan SKILL.md files, MCP configs, and system prompts for:
π Credential theft & data exfiltration
π Prompt injection attacks
π» Zero-width character attacks
π¦ ClawHavoc malware indicators
π Shell injection & reverse shells
π Scope creep & memory poisoning
Free. No API key. No signup.
Quick Start
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"skillssafe": {
"command": "npx",
"args": ["-y", "skillssafe-mcp"]
}
}
}Cursor
Add to .cursor/mcp.json:
{
"mcpServers": {
"skillssafe": {
"command": "npx",
"args": ["-y", "skillssafe-mcp"]
}
}
}Direct SSE (Remote)
For clients that support SSE transport:
https://mcp.skillssafe.com/sseTools
scan_skill
Scan an AI agent skill file for security threats before installation.
Parameters:
url - URL of skill to scan (GitHub raw URL, ClawHub URL, etc.)
content - Raw text content of skill to scan (alternative to url)
lang - Response language: "en" | "zh" | "ja" (default: "en")
Returns:
decision - INSTALL / REVIEW / BLOCK
risk_score - 0β100
threats - List of detected threats with severity
scan_id - ID for retrieving full reportget_report
Retrieve a previously generated scan report.
Parameters:
scan_id - Scan ID returned by scan_skillRegistry
Official MCP Registry:
com.skillssafe/scannerSmithery: skillssafe
Glama: skillssafe-mcp
π‘οΈ Security Audit
This project is indexed by SkillsSafe.
You can audit this MCP server before installing it:
openclaw mcp add skillssafe https://mcp.skillssafe.com/sseCheck out the community discussion on Cursor Forum.
License
MIT Β© SkillsSafe