Free security audit for AI agent skills

Don't let a skill backdoor your agent.

Paste a GitHub repo, subdirectory, or raw file URL. We'll find every SKILL.md reachable from it and check each one for prompt-injection, data-exfiltration, remote-code-execution, and permission-bypass patterns — then rate it Safe or Unsafe with the exact findings behind that call, not a black-box score.

10 free scans per browser, then keep going with credits — see plans.

Prompt injection

Instructions hidden in a SKILL.md or a bundled script trying to hijack Claude's behavior — including tricks buried in HTML comments or invisible Unicode.

Data exfiltration

Commands that read your SSH keys, .env files, or credential stores and quietly ship them out over the network.

Remote code execution

curl | bash patterns, obfuscated payloads, and eval-of-fetched-content tricks that run arbitrary code the moment you install.

Permission bypass

Instructions nudging the assistant to skip confirmations, disable hooks, or run with permission checks turned off entirely.

Scan without limits

Your first 10 scans are free, forever. After that, credits keep you going — one credit per scan, no expiry, no subscription to cancel. Buying credits also keeps this tool free to run for everyone else.

Test mode — no real payment yet Real billing is coming soon. For now, grabbing a package instantly adds test credits so you can keep scanning.