Show HN: I scan AI agent skills for prompt injection before you install them

I built this because I was mass copy-pasting skills between Claude Code, Cursor, and Codex. Every agent has its own skills directory, its own format, and no way to sync them.

Skulto: - Installs via symlinks — one source of truth, updates propagate instantly - Security scanner with 35+ patterns (prompt injection, jailbreaks, data exfil) - Offline-first after initial sync, pure-Go binary (no CGO, no libsqlite3) - MCP server so Claude Code can search/install skills without leaving the terminal

The scanner isn't grep-for-bad-words.

200+ curated skills indexed. Supports Claude Code, Cursor, Windsurf, Copilot, Codex, and 25+ others.

Install: brew install asteroid-belt/tap/skulto

Happy to answer questions about the architecture or the security patterns.