Skill Scanner
A security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. Combines pattern-based detection (YAML + YARA), LLM-as-a-judge, and behavioral dataflow analysis to maximize detection coverage while minimizing false positives.
Supports OpenAI Codex Skills and Cursor Agent Skills formats following the Agent Skills specification.
View on GitHub | PyPI Package | Join Discord
Highlights
- Multi-Engine Detection -- Static analysis, behavioral dataflow, LLM semantic analysis, and cloud-based scanning for layered coverage
- False Positive Filtering -- Meta-analyzer significantly reduces noise while preserving detection capability
- CI/CD Ready -- SARIF output for GitHub Code Scanning, reusable GitHub Actions workflow, exit codes for build failures
- Pre-commit Hook -- Standard pre-commit framework integration to scan skills before every commit
- Extensible -- Plugin architecture for custom analyzers
Scope and Limitations
Skill Scanner is a detection tool. It identifies known and probable risk patterns, but it does not certify security.
Key limitations:
- No findings ≠ no risk. A scan that returns "No findings" indicates that no known threat patterns were detected. It does not guarantee that a skill is secure, benign, or free of vulnerabilities.
- Coverage is inherently incomplete. The scanner combines signature-based detection, LLM-based semantic analysis, behavioral dataflow analysis, optional cloud services, and configurable rule packs.
- False positives and false negatives can occur. Consensus modes and meta-analysis reduce noise, but no configuration eliminates all incorrect classifications.
- Human review remains essential. Automated scanning is one component of a defense-in-depth strategy.
Documentation
| Guide | Description |
|---|---|
| Quick Start | Get started in 5 minutes |
| Architecture | System design and components |
| Threat Taxonomy | Complete AITech threat taxonomy with examples |
| LLM Analyzer | LLM configuration and usage |
| Meta-Analyzer | False positive filtering and prioritization |
| Behavioral Analyzer | Dataflow analysis details |
| Scan Policy | Custom policies, presets, and tuning guide |
| Policy Quick Reference | Compact reference for policy sections and knobs |
| Rule Authoring | How to add signature, YARA, and Python rules |
| GitHub Actions | Reusable workflow for CI/CD integration |
| API Reference | REST API documentation |
| Development Guide | Contributing and development setup |
Installation
Prerequisites: Python 3.10+ and uv (recommended) or pip
# Using uv (recommended)
uv pip install cisco-ai-skill-scanner
# Using pip
pip install cisco-ai-skill-scanner
Cloud provider extras:
# AWS Bedrock support
pip install cisco-ai-skill-scanner[bedrock]
# Google Vertex AI support
pip install cisco-ai-skill-scanner[vertex]
# Azure OpenAI support
pip install cisco-ai-skill-scanner[azure]
# All cloud providers
pip install cisco-ai-skill-scanner[all]
Quick Start
Interactive Wizard
Not sure which flags to use? Run skill-scanner with no arguments to launch the interactive wizard:
skill-scanner
The wizard walks you through selecting a scan target, analyzers, policy, and output format, then shows the assembled command before running it.
CLI Usage
# Scan a single skill (core analyzers: static + bytecode + pipeline)
skill-scanner scan /path/to/skill
# Scan with behavioral analyzer (dataflow analysis)
skill-scanner scan /path/to/skill --use-behavioral
# Scan with all engines
skill-scanner scan /path/to/skill --use-behavioral --use-llm --use-aidefense
# Scan with meta-analyzer for false positive filtering
skill-scanner scan /path/to/skill --use-llm --enable-meta
# Run LLM analyzer multiple times and keep majority-agreed findings
skill-scanner scan /path/to/skill --use-llm --llm-consensus-runs 3
# Scan multiple skills recursively
skill-scanner scan-all /path/to/skills --recursive --use-behavioral
# CI/CD: Fail build if threats found
skill-scanner scan-all ./skills --fail-on-severity high --format sarif --output results.sarif
# Generate interactive HTML report
skill-scanner scan /path/to/skill --use-llm --enable-meta --format html --output report.html
# Use a scan policy preset (strict, balanced, permissive)
skill-scanner scan /path/to/skill --policy strict
Python SDK
from skill_scanner import SkillScanner
from skill_scanner.core.analyzers import BehavioralAnalyzer
scanner = SkillScanner(analyzers=[
BehavioralAnalyzer(),
])
result = scanner.scan_skill("/path/to/skill")
print(f"Findings: {len(result.findings)}")
print(f"Max severity: {result.max_severity}")
if not result.is_safe:
print("Issues detected -- review findings before deployment")
Security Analyzers
| Analyzer | Detection Method | Scope | Requirements |
|---|---|---|---|
| Static | YAML + YARA patterns | All files | None |
| Bytecode | .pyc integrity verification | Python bytecode | None |
| Pipeline | Command taint analysis | Shell pipelines | None |
| Behavioral | AST dataflow analysis | Python files | None |
| LLM | Semantic analysis | SKILL.md + scripts | API key |
| Meta | False positive filtering | All findings | API key |
| VirusTotal | Hash-based malware | Binary files | API key |
| AI Defense | Cloud-based AI | Text content | API key |
CLI Options
| Option | Description |
|---|---|
--policy | Scan policy: preset name (strict, balanced, permissive) or path to custom YAML |
--use-behavioral | Enable behavioral analyzer (dataflow analysis) |
--use-llm | Enable LLM analyzer (requires API key) |
--llm-provider | LLM provider: anthropic or openai |
--llm-consensus-runs N | Run LLM analysis N times and keep majority-agreed findings |
--use-virustotal | Enable VirusTotal binary scanner |
--use-aidefense | Enable Cisco AI Defense analyzer |
--use-trigger | Enable trigger specificity analyzer |
--enable-meta | Enable meta-analyzer for false positive filtering |
--format | Output: summary, json, markdown, table, sarif, html |
--output PATH | Save report to file |
--fail-on-severity LEVEL | Exit with error if findings at or above LEVEL exist |
--custom-rules PATH | Use custom YARA rules from directory |
--lenient | Tolerate malformed skills instead of failing |
| Command | Description |
|---|---|
| (no command) | Launch interactive scan wizard |
scan | Scan a single skill directory |
scan-all | Scan multiple skills (with --recursive, --check-overlap) |
generate-policy | Generate a scan policy YAML for customisation |
configure-policy | Interactive TUI to build/edit a custom scan policy |
list-analyzers | Show available analyzers |
validate-rules | Validate rule signatures |
GitHub Actions
Scan skills automatically on every push or PR using the reusable workflow:
name: Scan Skills
on:
pull_request:
paths: [".cursor/skills/**"]
jobs:
scan:
uses: cisco-ai-defense/skill-scanner/.github/workflows/scan-skills.yml@main
with:
skill_path: .cursor/skills
permissions:
security-events: write
contents: read
Pre-commit Hook
Scan skills before every commit using the pre-commit framework:
repos:
- repo: https://github.com/cisco-ai-defense/skill-scanner
rev: v1.0.0
hooks:
- id: skill-scanner
Or install the built-in hook directly:
skill-scanner-pre-commit install
Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
License
Apache 2.0 -- See LICENSE for details.