Skill Scanner
Security scanning for AI agent skills — detect prompt injection, data exfiltration, and malicious code patterns before they run.
Skill Scanner combines pattern-based detection (YAML + YARA), LLM-as-a-judge, and behavioral dataflow analysis to catch threats that any single approach would miss. It supports OpenAI Codex Skills, Cursor Agent Skills, and related formats following the Agent Skills specification.
View on GitHub | PyPI Package | Join Discord
How It Works
1. Install — pip install cisco-ai-skill-scanner or use uv. Optionally configure LLM and cloud service API keys for deeper analysis.
2. Scan — Point the CLI at a skill directory. Core analyzers (static, bytecode, pipeline) run automatically with zero configuration. Add optional analyzers for behavioral, LLM, and cloud-based analysis.
3. Review — Get findings in six output formats: summary, JSON, Markdown, table, SARIF, and interactive HTML. Each finding includes severity, threat category, file path, and remediation guidance.
What It Detects
| Threat Category | Description |
|---|---|
| Prompt Injection | Hidden instructions that override agent behavior |
| Data Exfiltration | Unauthorized data transmission to external servers |
| Command Injection | Shell command execution with untrusted input |
| Obfuscation | Base64 encoding, bytecode tricks, and code concealment |
| Hardcoded Secrets | API keys, tokens, and credentials in source code |
| Social Engineering | Deceptive skill descriptions and trigger manipulation |
| Supply Chain | Malicious dependencies and fetch-execute patterns |
| Unicode Steganography | Invisible characters and homoglyph deception |
Documentation
| Guide | Description |
|---|---|
| Installation | Prerequisites, install methods, and environment configuration |
| Features | All 10 analyzers, file intelligence, and detection capabilities |
| Quick Start | Get scanning in under a minute |
| CLI Reference | All commands, flags, and examples |
| Architecture | Scanning pipeline, system design, and extension points |
| Scan Policies | Presets, custom policy YAML, and tuning guide |
| Python SDK | Programmatic scanning with typed models |
| API Reference | REST API server for upload and batch workflows |
| GitHub Actions | CI/CD integration with reusable workflow |
| FAQ | Common questions and answers |
For deep-dives into individual analyzers, rule authoring, and threat taxonomy, see the full documentation in the repository.
Scope and Limitations
Skill Scanner is a detection tool. It identifies known and probable risk patterns, but it does not certify security.
- No findings does not equal no risk. A clean scan means no known threat patterns were detected — not that the skill is safe.
- Coverage is inherently incomplete. The scanner combines multiple engines, but novel attacks may evade all of them.
- False positives and false negatives can occur. Consensus modes and meta-analysis reduce noise, but no configuration eliminates all errors.
- Human review remains essential. Automated scanning is one layer in a defense-in-depth strategy.
License
Apache 2.0 — See LICENSE for details.