When you install an AI agent skill, you're running code pulled from GitHub at HEAD with no signing, versioning, or scanning. Vett scans every skill before it reaches your machine: static analysis, exfiltration chain detection, OSV dependency checks, and Sigstore signing. Early scans have already turned up malware disguised as Google and LinkedIn tools, and skills with thousands of installs that quietly modify your agent's own configuration files.
