Elevate Skill security from 'malware detection' to 'capability auditing'
Not just whether it's malicious, but which approval-worthy capabilities it grants an Agent once enabled. Powered by the CleanSource skills v2 audit engine.
A fully transparent Skill that does exactly what it says can still send material outbound, use an enterprise key to reach third parties, or write to systems. It isn't malicious — yet it can cross the enterprise admission boundary
From 'is it malicious' to 'what will it gain, reach, and change once enabled'.
Not binary safe / malicious, but block / need_review / pass — separating legitimate-but-high-impact from confirmed-malicious.
Covers input visibility, instruction & runtime execution, Agent permission & identity, data & memory, asset cost & real-world actions, abuse evasion, and supply-chain ecosystem.
Doesn't block on keywords — grades by evidence strength, from mention-level, to commands and config, to executable chains, to runtime persistence.
Extracts dependency candidates from build files and even natural-language install intent, matched at version level against poisoning intelligence.
Every verdict carries evidence pinpointed to the SKILL.md line plus a disposition — auditable and reviewable, never keyword-hit-equals-verdict.
Three-tier verdicts embed into CI/CD and Skill-marketplace admission; export JSON to SCA/SBOM, IAM/DLP, SIEM/SOAR, and ticketing.
Parses a Skill's manifest and implementation to reconstruct its true capability boundary — files, network, shell exec, secret access — and flags high-risk capabilities.
Extracts real permissions from SKILL.md and code.
Detects hidden capabilities beyond what's declared.
Shell exec, secret reads and the like get priority alerts.
Compares dependency provenance and naming to catch typosquats, hijacked versions, and malicious injection — blocking and alerting on a hit.
Catches look-alike package names.
Verifies publisher and version integrity.
Alerts and blocks the moment it matches.
A Skills-for-Skills approach makes the audit flow itself dynamically loadable and extensible.
Baseline static scanning rules out obviously malicious samples — the part legacy SAST/SCA already covers.
Aligns the SKILL.md natural-language description with actual code behavior to catch says-one-thing-does-another.
Structured tags and evidence grading assess a single Skill, and detect attack chains emerging from multi-Skill collaboration.
Book a demo and see how SkillSec builds an admission-grade security intelligence line for your AI Agents.