Open source security scanner

Your AI tools can read
your files. Do you trust them?

SafeSkill scans AI skills for code exploits and prompt injection before you install. Know what you're running.

Try:@modelcontextprotocol/server-filesystem @modelcontextprotocol/server-puppeteer @modelcontextprotocol/server-github

Three layers of protection

Every package is analyzed through our multi-layer engine that catches what manual review misses.

Code Analysis

AST-based static analysis with taint tracking. Traces data from sensitive sources to network sinks across files.

Filesystem accessNetwork callsEnv variablesProcess spawnObfuscationInstall scriptsDynamic requireCrypto usage

Prompt Injection

Detects manipulation attempts hidden in skill definitions, README files, and content templates.

Instruction overrideHidden textData exfiltrationTool abusePersona hijackCoT manipulationDelimiter escapeIndirect injection

Instant Results

Full analysis completes in under 3 seconds. No waiting, no sign-up, no cost. Just paste a package name.

Under 3 secondsNo account requiredFree foreverOpen source

Scan from your terminal

One command. No install required. Scan any npm package or MCP server and get a full security report in seconds.

Terminal

$npx skillsafe scan @modelcontextprotocol/server-filesystem

Scanning package...

Score: 92/100 Verified Safe

Code: 94 | Content: 90

Findings: 2 low severity

Code detectors

Prompt detectors

<3s

Scan time

100%

Open source

The AI supply chain has a trust problem

MCP servers and AI skills run with your permissions. They can read your files, access your API keys, and make network requests. Most developers install them without a second thought.

10K+

Packages indexed

23%

Had prompt injection risks

67%

Access filesystem without disclosure

Stop trusting. Start verifying.

Scan your first package in under 10 seconds. No sign-up required.

Your AI tools can read your files. Do you trust them?