Every SKILL.md file on SkillsAuth passes through a 4-layer security scanning pipeline before it is published. Skills that fail any layer are quarantined and never shown on the marketplace.
Why This Matters
SKILL.md files are instruction files that AI agents execute. A malicious skill could inject prompts, steal credentials, or poison tool behavior. SkillsAuth is the only marketplace that security-verifies every skill before publishing.
Detects prompt injection attacks, credential theft patterns, and tool poisoning in SKILL.md instruction files.
Static analysis with custom SKILL.md rules. Catches suspicious shell commands, encoded payloads, and unsafe file operations.
Scans for embedded secrets, misconfigurations, and known CVEs in skill content and any referenced dependencies.
Submits skill content to 72+ antivirus and malware detection engines for comprehensive threat analysis.
Skills that pass all 4 layers receive a “Verified” badge displayed on their skill page. Each scanner's individual result is shown in the scan panel, giving developers full transparency into what was checked and the outcome.
On SkillsAuth, yes. Every skill passes 4 security layers before publishing. Skills from other sources have not been verified.
It is quarantined immediately and never shown on the marketplace. The repository owner is not notified — the skill simply doesn't appear.
Skills are scanned on initial sync and whenever the source content changes on GitHub. The daily change sweep detects updates automatically.
Yes. Every skill page shows individual scanner results with status, confidence, and findings count.