safeskill
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@safeskillcheck if my MCP setup is safe"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SafeSkill
One-click security audit for your MCP setup.
One score. Plain English. No CLI knowledge required.
We Scanned the MCP Ecosystem
We downloaded and scanned 3,093 MCP packages from npm and the official MCP registry. The results:
858 packages (28%) had at least one security finding
397 packages (13%) rated RED (score below 50)
176 packages scored a flat 0/100
Cisco, 1Password, Snyk, and Bitdefender have all flagged MCP's lack of sandboxing and permissions as a serious risk. We built SafeSkill to let you check for yourself.
Read the full analysis: I Scanned 3,093 MCP Servers. Here's What I Found.
Related MCP server: MCP Security Scanner
Try It Now
No install required. Paste any npm package name into the web scanner:
Quick Start
As an MCP Skill (recommended)
Add SafeSkill to your MCP configuration and just ask your agent:
"Check if my MCP setup is safe"
{
"mcpServers": {
"safeskill": {
"command": "npx",
"args": ["-y", "safeskill"]
}
}
}As a CLI
# Scan your entire setup
npx safeskill
# Scan a specific skill
npx safeskill scan ./my-mcp-server
# Check config only
npx safeskill config
# JSON output
npx safeskill --format=jsonWhat It Detects
Critical
Dynamic code execution (
eval(),new Function())Shell command injection
Data exfiltration to Telegram/Discord/paste sites
Access to SSH keys, cloud credentials, crypto wallets, browser data
Prompt injection in skill descriptions
Environment variable theft over network
Crypto wallet address replacement
High
Child process spawning
Outbound HTTP to raw IP addresses
Bulk environment variable harvesting
Base64/hex obfuscation at runtime
JavaScript code obfuscation
Hardcoded API keys and secrets
Access to .env and dotfiles
Exposed ports (0.0.0.0 binding)
Disabled authentication flags
Medium
Data encoding before transmission
Hidden Unicode characters
Hardcoded secrets in config
Supply chain risk (npx/uvx execution)
Scoring
Each skill gets a score from 0-100:
Score | Rating | Meaning |
80-100 | GREEN | No significant issues found |
50-79 | YELLOW | Some concerns, review the findings |
0-49 | RED | Serious issues, remove or replace this skill |
Scores are based on the number and severity of findings, with diminishing returns for repeated instances of the same issue.
Overall Score: 62/100 YELLOW [############--------]
Found 7 security issues across 4 skills.
Skills you should remove:
- sketchy-data-tool (Score: 15/100) — tries to read your SSH keys and send them to a server
- crypto-helper (Score: 35/100) — contains a hardcoded crypto wallet address
Skills to review:
- file-manager (Score: 65/100) — can run system commands on your computer
Clean skills: weather, calculator, notesOutput Formats
Conversational: Chat-friendly summary for use in MCP agents
Detailed: Full markdown report with all findings
JSON: Machine-readable output for automation
Building from Source
git clone https://github.com/gabchess/safeskill.git
cd safeskill
npm install
npm run buildLicense
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/gabchess/safeskill'
If you have feedback or need assistance with the MCP directory API, please join our Discord server