All activity
When you install an AI agent skill, you're running code pulled from GitHub at HEAD with no signing, versioning, or scanning. Vett scans every skill before it reaches your machine: static analysis, exfiltration chain detection, OSV dependency checks, and Sigstore signing. Early scans have already turned up malware disguised as Google and LinkedIn tools, and skills with thousands of installs that quietly modify your agent's own configuration files.
vettScan, sign, and verify AI agent skills before installing
Sean Drummleft a comment
Hey Product Hunt 👋 When you install an AI agent skill, you're trusting a GitHub repo you've never audited, pulled at HEAD with no signing, scanning, or versioning. I took an official skill, added a few lines to exfiltrate environment variables and shell history to a remote server, and installed it into Claude Code and Codex. Both ran the script without question. How Vett works: The static...
vettScan, sign, and verify AI agent skills before installing