CLI Reference
Skill Scanner provides three entry points: skill-scanner (main CLI), skill-scanner-api (REST API server), and skill-scanner-pre-commit (pre-commit hook).
Commands
| Command | Description |
|---|---|
| (no command) | Launch interactive scan wizard |
scan | Scan a single skill directory |
scan-all | Scan multiple skills in a directory |
generate-policy | Generate a scan policy YAML from a preset |
configure-policy | Interactive TUI for editing policy |
list-analyzers | Show available analyzers and their activation flags |
validate-rules | Validate rule signatures |
skill-scanner scan
Scan a single skill directory.
skill-scanner scan /path/to/skill [OPTIONS]
Analyzer Flags
| Flag | Description |
|---|---|
--use-behavioral | Enable behavioral analyzer (AST dataflow analysis) |
--use-llm | Enable LLM analyzer (requires API key) |
--llm-provider | LLM provider: anthropic or openai |
--llm-consensus-runs N | Run LLM analysis N times; keep majority-agreed findings |
--use-virustotal | Enable VirusTotal binary scanner |
--use-aidefense | Enable Cisco AI Defense analyzer |
--use-trigger | Enable trigger specificity analyzer |
--enable-meta | Enable meta-analyzer for false positive filtering |
Output Flags
| Flag | Description |
|---|---|
--format | Output format: summary, json, markdown, table, sarif, html |
--output PATH | Save report to file |
--detailed | Include full finding details (markdown format) |
Policy and Rules
| Flag | Description |
|---|---|
--policy | Preset name (strict, balanced, permissive) or path to custom YAML |
--custom-rules PATH | Use custom YARA rules from directory |
--fail-on-severity LEVEL | Exit with error if findings at or above LEVEL exist |
Behavior Flags
| Flag | Description |
|---|---|
--lenient | Tolerate malformed skills instead of failing |
--skill-file NAME | Use a custom metadata filename instead of SKILL.md |
Examples
# Core analyzers only (default)
skill-scanner scan ./my-skill
# Full analysis with all engines
skill-scanner scan ./my-skill --use-behavioral --use-llm --use-aidefense --enable-meta
# LLM consensus mode for high-confidence results
skill-scanner scan ./my-skill --use-llm --llm-consensus-runs 3 --enable-meta
# Generate interactive HTML report
skill-scanner scan ./my-skill --use-llm --enable-meta --format html --output report.html
# CI/CD: fail on high-severity findings
skill-scanner scan ./my-skill --fail-on-severity high --format sarif --output results.sarif
# Scan a non-standard skill format (e.g., Claude Code commands)
skill-scanner scan .claude/commands/deploy --lenient
skill-scanner scan-all
Scan multiple skills in a directory.
skill-scanner scan-all /path/to/skills [OPTIONS]
Supports all flags from scan, plus:
| Flag | Description |
|---|---|
--recursive | Recursively discover skills in subdirectories |
--check-overlap | Detect coordinated attacks across skills |
Examples
# Scan all skills recursively
skill-scanner scan-all ./skills --recursive --format table
# Cross-skill analysis
skill-scanner scan-all ./skills --recursive --check-overlap
# CI/CD gate with SARIF output
skill-scanner scan-all ./skills --recursive --format sarif --output results.sarif --fail-on-severity high
skill-scanner generate-policy
Generate a scan policy YAML from a built-in preset for customization.
skill-scanner generate-policy [OPTIONS]
| Flag | Description |
|---|---|
-o, --output PATH | Output file path |
--preset NAME | Base preset: strict, balanced, permissive |
skill-scanner generate-policy -o my_policy.yaml --preset strict
skill-scanner configure-policy
Interactive terminal UI for building or editing a custom scan policy.
skill-scanner configure-policy [OPTIONS]
| Flag | Description |
|---|---|
-i, --input PATH | Existing policy YAML to edit |
-o, --output PATH | Output file path |
skill-scanner configure-policy -i my_policy.yaml -o my_policy.yaml
skill-scanner list-analyzers
Show all available analyzers with their activation requirements.
skill-scanner list-analyzers
skill-scanner validate-rules
Validate rule signatures for correctness.
skill-scanner validate-rules [OPTIONS]
| Flag | Description |
|---|---|
--rules-file PATH | Path to custom rules to validate |
# Validate built-in rules
skill-scanner validate-rules
# Validate custom rules
skill-scanner validate-rules --rules-file /path/to/custom
skill-scanner-api
Start the REST API server.
skill-scanner-api [OPTIONS]
| Flag | Description | Default |
|---|---|---|
--host | Bind address | localhost |
--port | Port number | 8000 |
--reload | Enable auto-reload for development | Off |
skill-scanner-api --host 127.0.0.1 --port 9000
See API Reference for endpoint documentation.
skill-scanner-pre-commit
Manage the pre-commit hook.
skill-scanner-pre-commit install # Install the hook
skill-scanner-pre-commit uninstall # Remove the hook
The hook scans staged skill directories and blocks commits when findings exceed the configured severity threshold. Configure via .skill_scannerrc, .skill_scannerrc.json, or skill_scanner.json:
| Option | Default | Description |
|---|---|---|
severity_threshold | "high" | Block commits at this severity or above |
skills_path | ".claude/skills" | Base path for skills under the repo root |
fail_fast | true | Stop on first skill exceeding threshold |
use_behavioral | false | Enable behavioral analyzer |
use_trigger | true | Enable trigger specificity analyzer |
policy | — | Preset name or path to custom policy YAML |
Exit Codes
| Code | Meaning |
|---|---|
0 | Scan completed, no findings above threshold |
1 | Findings at or above the --fail-on-severity threshold detected |
2 | Error during scan (invalid path, configuration error, etc.) |