Prompt injection
Instructions hidden in a SKILL.md or a bundled script trying to hijack Claude's behavior — including tricks buried in HTML comments or invisible Unicode.
Free security audit for AI agent skills
Paste a GitHub repo, subdirectory, or raw file URL. We'll find every
SKILL.md reachable from it and check each one for
prompt-injection, data-exfiltration, remote-code-execution, and
permission-bypass patterns — then rate it Safe or Unsafe with the
exact findings behind that call, not a black-box score.
10 free scans per browser, then keep going with credits — see plans.
Instructions hidden in a SKILL.md or a bundled script trying to hijack Claude's behavior — including tricks buried in HTML comments or invisible Unicode.
Commands that read your SSH keys, .env files, or credential stores and quietly ship them out over the network.
curl | bash patterns, obfuscated payloads, and eval-of-fetched-content tricks that run arbitrary code the moment you install.
Instructions nudging the assistant to skip confirmations, disable hooks, or run with permission checks turned off entirely.
Your first 10 scans are free, forever. After that, credits keep you going — one credit per scan, no expiry, no subscription to cancel. Buying credits also keeps this tool free to run for everyone else.
Test mode — no real payment yet Real billing is coming soon. For now, grabbing a package instantly adds test credits so you can keep scanning.