SkillRisk
Security scanner for Claude Code & MCP skills.
5 followers
Security scanner for Claude Code & MCP skills.
5 followers
SkillRisk is a static security analyzer designed for AI Agent Skills (focusing on Claude Code & MCP). It parses skill definitions (JSON/YAML) to instantly detect: π‘οΈ Privilege Escalation: Spots unchecked sudo or root access. π Injection Risks: Finds arguments vulnerable to command injection. π΅οΈ Malicious Hooks: Identifies hidden execution scripts (like PreToolUse hijacking). 100% Local-First & Static. We don't execute your code; we audit it. Secure your Agent workflow in seconds.
Hi Product Hunt! π
Iβm the maker of SkillRisk.
I built this tool after hearing a horror story: A developer installed a "Pro Color Picker" skill for their agent. It looked innocent, but hidden in version 2.1 was a background thread scanning for AWS keys. It spun up 200 GPU instances and cost them $54,000 in a single weekend. πΈ
It hit me: We treat AI "Skills" like innocent plugins, but they are actually executable code with access to our shell and files.
With the rise of Claude Code and MCP (Model Context Protocol), we need a way to audit these tools before we run them.
SkillRisk is essentially an antivirus for your Agent's skills.
We analyze your skill definitions (static analysis) to catch:
Malicious Hooks: Like PreToolUse scripts that hijack your terminal.
Privilege Escalation: Why does a weather tool need rm -rf access?
Supply Chain Attacks: Hidden post-install scripts.
π Privacy Note: The scanner is "Local-First." It runs in-memory, and we don't store your uploaded code.
We have a Free Tier (3 scans/month) so everyone can stay safe.
I'd love to know: How do you currently vet the tools you give to your AI agents?
Thanks for checking it out! π