How we scan every skill
Every skill uploaded to Agensi goes through an automated 8-point security scan before a human ever sees it. Here is what we check and why.
A SKILL.md file is not just documentation. It is an instruction set that your AI agent will execute with your permissions. That means access to your terminal, your files, your environment variables, and any API keys in your session. Installing an unvetted skill is no different from running untrusted code. We scan every skill before it goes live so you do not have to read every line yourself.
File Structure Validation
We verify the zip contains a valid SKILL.md with proper YAML frontmatter. We also check for unusual file counts and oversized files that could indicate bundled payloads. A clean skill should be lightweight.
File Type Screening
We scan every file in the zip and flag anything that should not be there. Skills are instruction sets, not executables. Binary files, compiled code, and suspicious file types are flagged or blocked.
Dangerous Command Patterns
We scan all text files for command patterns that could damage your system. This includes destructive file operations, piping remote scripts directly to your shell, privilege escalation, and disk-level operations. Patterns are matched across multiple languages and shell syntaxes.
Secrets Detection
We check for hardcoded API keys, private key material, authentication tokens, and connection strings with embedded credentials. A well-built skill should never contain secrets. If it does, something is wrong.
Environment Variable Harvesting
We look for skills that read an unusually high number of environment variables, or that reference sensitive variables near network calls. A skill that reads your STRIPE_SECRET and then makes an HTTP request is not debugging your project.
Network Access Audit
We identify every outbound URL and domain referenced in the skill. Network access is not inherently bad, but it should be transparent. We flag patterns that suggest data is being sent to external endpoints without the user's knowledge.
Obfuscation Detection
We look for intentionally obscured code: long encoded strings, eval chains, heavy string manipulation designed to hide what the code actually does. Legitimate skills do not need to hide their instructions.
Prompt Injection Screening
We scan for instructions that attempt to manipulate the AI agent itself. This includes instructions to ignore previous guidelines, hide actions from the user, suppress output, or exfiltrate data without user knowledge. These patterns are the SKILL.md equivalent of social engineering.
How scoring works
Each skill starts at 100 points. Failed checks deduct points based on severity. Warning-level findings (things that are suspicious but not definitively malicious) deduct fewer points than outright failures. The final score determines the overall status:
No critical issues found. The skill is safe to use.
No critical failures, but some findings that deserve attention. The skill may be safe but has patterns worth reviewing.
One or more critical issues detected. The skill requires extra scrutiny before approval.
Automated scanning is not enough
After the automated scan, every skill goes through a manual review by an Agensi admin. We check for quality, accuracy, and policy compliance. The scanner catches patterns. Humans catch intent. Both layers are required before a skill goes live.
Why we do not publish our detection rules
We are transparent about what we check, but we do not publish the specific patterns, thresholds, or regex rules used by the scanner. Publishing detection rules makes it easier for bad actors to craft skills that pass the scan while still being malicious. This is the same approach used by antivirus vendors, email spam filters, and code analysis platforms. If you have questions about a specific scan result, contact us at info@agensi.io.
Want to try a scanned skill? Browse the marketplace.
Discover Skills