Reproducible source
Public reports should point to the repository, path, and commit that were scanned whenever that metadata is available.
About
Skill Spector is a public safety index for AI agent skills.
It helps developers inspect SKILL.md files, MCP tool bundles, scripts, commands, downloads, secrets exposure, and source metadata before giving an agent more authority on a local machine.
Evidence first
Findings are tied to files, rules, severity, confidence, and remediation so readers can review the reason instead of trusting a label.
Private by default for sensitive input
Uploads and pasted skill text stay private. Public publishing is intended for URL-based scans of public sources.
Why it exists
Agent skills are closer to executable supply-chain artifacts than ordinary docs.
A skill can teach an agent how to run commands, install packages, read local files, call remote services, or connect to MCP tools. That does not make every skill dangerous, but it does mean the source deserves a clear review before installation.
Skill Spector turns that review into a repeatable report: collect the source, preserve version metadata, inventory files, flag suspicious patterns, and make the evidence readable.
Public reports
Public URL scans can become crawlable reports when they refer to public sources. These pages are designed to help readers compare risk scores, findings, files, source commits, and review recommendations.
Private scans
Uploaded files and pasted text are treated as private scan inputs. They are useful for one-off review, but they should not become public SEO pages because they may contain proprietary or sensitive material.
Limitations
Skill Spector is a review aid, not a malware verdict. A clean report does not prove a skill is safe, and a high-risk finding should be read as a reason for manual review before installation.
Review a skill before installing it.
Start with a public repository scan, or read the checklist if you want to inspect a SKILL.md file by hand.