MCP.so
Sign In
Servers

Skillaudit

@megamind-0x

πŸ›‘οΈ Security scanner for AI agent skills β€” detect credential stealers, exfiltration, and malicious patterns before install

Overview

What is Skillaudit?

Skillaudit is a security layer for AI agent skills that scans, gates, and enforces policy before an agent installs anything. It covers MCP and A2A protocols with 43 detection rules and 401 patterns, and has zero dependencies.

How to use Skillaudit?

Use the CLI via npx skillaudit (requires Node.js 18+) or call the HTTP API. For a quick gate check, run npx skillaudit gate <url> or curl to the /gate endpoint. Full scans, bulk checks, policy evaluation, and MCP server mode are also supported.

Key features of Skillaudit

  • 43 detection rules across 16 security categories.
  • Pre-install gate check returning allow/deny decisions.
  • Bulk evaluation of multiple skills in one call.
  • Custom policy enforcement with risk thresholds.
  • MCP server mode for native tool integration.
  • Zero-dependency CLI, runs via npx.

Use cases of Skillaudit

  • Preventing credential theft from AI agent skills.
  • Scanning MCP manifests for schema poisoning.
  • Enforcing security policies in CI/CD pipelines.
  • Auditing npm/PyPI packages for malicious code.
  • Gate-checking skills before installation in agent workflows.

FAQ from Skillaudit

What runtime does Skillaudit require?

The CLI requires Node.js 18+; the hosted API needs no local runtime.

What is the rate limit for the API?

30 requests per minute per IP; you can bypass it with an API key.

How does Skillaudit avoid false positives?

Smart context suppression automatically filters out documentation examples and placeholder tokens.

Can I self-host Skillaudit?

Yes, clone the repository, run npm install && npm start, and it listens on http://localhost:3847.

What transports does Skillaudit support?

It supports CLI (stdio), HTTP API, and MCP protocol (stdio) via --mcp flag.

Tags

More from Developer Tools