MondooMondoo
AI Agent Security
Skill Threat IntelligenceCLIFAQ
Log inGet Assessment

AI Agent Skill Check is a free AI agent skill security scanner by Mondoo. We scan skills across ClawHub, Skills.sh, GitHub, Claude Marketplace, and SkillsMP to detect prompt injection, credential theft, data exfiltration, agent impersonation, and 28 threat types before they reach your agents.

Mondoo

  • Vulnerability Management
  • Technology
  • Services

Solutions

  • Financial Services
  • Manufacturing
  • Healthcare

Resources

  • Blog
  • Skill Check CLI
  • Documentation
  • GitHub

Company

  • About
  • Careers
  • Partners
  • Contact

Legal

  • Privacy
  • Terms
  • Imprint
MondooMondoo© 2026 Mondoo, Inc.

Frequently Asked Questions

What is an AI agent skill?
An AI agent skill is a plugin or extension that gives AI assistants (like Claude, OpenAI Codex, or MCP-compatible agents) new capabilities. Skills can read files, execute commands, access APIs, and interact with external services, making them a significant attack surface if malicious.
How does Skill Check detect malicious skills?
Skill Check uses a 6-layer analysis pipeline: Layer 1 performs static analysis with pattern matching rules, shell taint tracking, archive expansion, and binary detection. Layer 2 uses an ML classifier for prompt injection detection. Layer 3 runs LLM-powered threat analysis with behavior mismatch detection. Layer 4 performs deep inspection for complex or ambiguous threats. Layer 5 filters false positives across all prior layers. Layer 6 generates human-readable verdicts with MITRE ATLAS and OWASP LLM Top 10 mapping.
What threat categories does the scanner cover?
We detect 28 threat subcategories across 6 trap classes: Content Injection (prompt injection, obfuscation, CJK injection, homoglyphs), Semantic Manipulation (social engineering, description mismatch), Cognitive State (RAG poisoning, memory poisoning), Behavioural Control (command execution, credential theft, SSRF, financial actions), Systemic (agent impersonation, autonomy abuse), and Human-in-the-Loop (approval fatigue).
How often are skills re-scanned?
Skills are scanned continuously as they are published or updated across monitored registries. New or changed skills are processed automatically.
Is Skill Check free to use?
Skill Check is free for non-commercial use — browsing scan results, searching skills, viewing risk assessments, and running the CLI. The web dashboard, REST API, and CLI tool are all available at no cost. Automated scraping or bulk data extraction is not permitted. For commercial use or API integration, please contact us.
How do I scan my machine for malicious skills?
Run npx @mondoohq/skillcheck in your terminal. It automatically detects installed AI agent skills across 25+ agents, computes SHA-256 checksums, and checks them against Mondoo AI agent skill threat intelligence. See the CLI documentation for full usage details.
What agents does skillcheck support?
skillcheck supports 25+ AI agents including Claude Code, Cursor, OpenAI Codex, Gemini CLI, GitHub Copilot, Windsurf, Goose, Continue, Cline, Kiro, Roo, Trae, Augment, OpenHands, and more. It detects skills, plugins, MCP servers, and rules across all supported agents.
Can I use skillcheck in CI/CD?
Yes. skillcheck exits with code 1 when critical or high-risk skills are found, making it easy to use as a gate. Use npx @mondoohq/skillcheck --json for machine-readable output in any CI pipeline.
How do I report a malicious skill?
You can submit any skill URL for scanning via the search bar on the homepage or the REST API. If you find a skill that should be flagged, contact us through the form on any skill detail page.