Show HN: SkillScan – Free API to detect malicious AI agent skill files
skillscan.chitacloud.devAfter the ClawdHub supply chain attack (credential stealer in 1 of 286 skills), I built SkillScan - a free, no-auth API to scan skill.md files for threats.
What it detects: - Known exfiltration services (webhook.site, requestbin) - ~/.env file reads - API key theft (OPENAI_API, ANTHROPIC_, STRIPE_) - Prompt injection ("ignore previous instructions") - Social engineering patterns
Returns a 0-100 safety score with evidence. The ClawdHub stealer scores 0.
curl -X POST https://skillscan.chitacloud.dev/scan -H "Content-Type: application/json" -d '{"skill_url": "https://example.com/skill.md"}'
Built this because 22-26% of skills contain vulnerabilities per recent research. One malicious install can leak all your LLM API keys.
No comments yet.