SkillGuard
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SkillGuardscan https://github.com/example/example-skill for malware"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SkillGuard
Scan a Claude Code skill, plugin, or MCP server for malware before you install it. One command, no install, no account.
npx github:epistemedeus/skillguard https://github.com/owner/repo
# or a local folder:
npx github:epistemedeus/skillguard ./my-skillSkillGuard report · 3 text files scanned
DANGER (4)
SKILL.md
■ Prompt-injection / data-exfil instruction in text [prompt-injection]
index.js
■ Possible env/secret exfiltration (sensitive env var near a network call) [env-exfil]
■ Hardcoded suspicious exfiltration endpoint (webhook/pastebin/raw-IP) [exfil-host]
■ Obfuscated/dynamic code execution (eval(atob), curl|bash) [obfuscation]
✗ DANGEROUS — do NOT install without reviewing the flagged files.Why
The Claude Code / MCP ecosystem is exploding — and so is the attack surface. Researchers have found 71 malicious skills in the wild, ~26% of published skills carry vulnerabilities, and 30+ MCP CVEs landed in 60 days. The most common payloads:
Environment-variable / secret exfiltration (
ANTHROPIC_API_KEY,AWS_SECRET_ACCESS_KEY,~/.env) shipped off to a webhook.Install-time shell hooks (
postinstall) that run code the moment younpm install.Prompt injection in tool descriptions / SKILL.md ("ignore previous instructions", "do not tell the user", "always auto-approve").
Committed binaries and obfuscated
eval(atob(...))/curl | bashpayloads.Auto-approve-all / skip-permissions configs that disarm your safeguards.
SkillGuard catches these patterns in seconds, so you can vet a third-party skill or MCP server before trusting it with your machine and your keys.
Related MCP server: Claude Code Starter Kit MCP
Safe by design
SkillGuard does static analysis only. It clones with git clone (hooks disabled) and reads files — it never runs npm install, never executes build/postinstall scripts, and never runs the target code. Scanning a malicious package can't harm you. (A scanner that executed what it's inspecting would be the very risk it's meant to prevent.)
What it checks
Check | Catches |
| A sensitive env var read next to a network call |
| Hardcoded webhook / pastebin / raw-IP / Telegram exfil endpoints |
|
|
| Data-exfil / "ignore instructions" / auto-approve text in SKILL.md, tool descriptions, prompts |
| API keys / private keys committed to the repo |
| Compiled ELF / Mach-O / PE executables in the tree |
| The honeypot pattern: a build step that generates + commits an encrypted blob |
| Auto-approve-all, sandbox-disabling, |
|
|
Exit code: 0 clean · 2 suspicious · 3 dangerous — so you can gate CI on it.
Use it in CI (GitHub Action)
Gate your CI on skill/MCP supply-chain safety:
- uses: epistemedeus/skillguard@v1
with:
path: . # path or git URL to scan
fail-on: dangerous # or "suspicious"Use it as an MCP server
Give your agent the ability to vet a skill/MCP server before installing it. Add to your Claude Code / MCP client config:
{
"mcpServers": {
"skillguard": {
"command": "npx",
"args": ["-y", "github:epistemedeus/skillguard", "mcp"]
}
}
}It exposes one tool, scan_skill(target), where target is a local path or a git/GitHub URL. Your agent can then check anything it's about to install. (Static-only — it never runs the scanned code.)
Show that you passed
If your skill or MCP server comes back clean, earn a badge for your README:
npx github:epistemedeus/skillguard . --badgeIt prints a Markdown badge you can paste in — a signal to your users that you ran a malware scan:
Free vs. paid
The CLI is free and MIT-licensed — run it as often as you like. If you install third-party skills/MCPs regularly and want to stop worrying:
One-time deep audit ($29) — we manually review a skill/MCP/plugin you're about to depend on and send you a written risk report, same day.
Watch mode ($12/mo) — we re-scan the skills + MCP servers you depend on every time they ship an upstream release, and alert you the moment new risk appears (the rug-pull / mutable-tool problem).
Limitations
Heuristics catch known-bad patterns; a determined, novel attack can evade any static scanner. SkillGuard is a fast first line of defense, not a guarantee. Always review code from untrusted authors.
MIT · by SameDayDesk · issues + PRs welcome.
Maintenance
Tools
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/epistemedeus/skillguard'
If you have feedback or need assistance with the MCP directory API, please join our Discord server