Analysis updated 2026-05-18
Scan a new AI agent skill for hidden malicious behavior before publishing it.
Run a batch scan across many skills to flag which ones need closer review.
Catch runtime only threats like data exfiltration that static code review would miss.
| fangcun-ai/skillward | nolanx-ai/nolanx.ai | vibeforge1111/vibeship-scanner | |
|---|---|---|---|
| Stars | 123 | 123 | 123 |
| Language | Python | Python | Python |
| Last pushed | — | — | 2026-03-04 |
| Maintenance | — | — | Maintained |
| Setup difficulty | moderate | hard | easy |
| Complexity | 4/5 | 4/5 | 2/5 |
| Audience | ops devops | general | vibe coder |
Figures from each repo's GitHub metadata at analysis time.
Sandbox stage needs Docker installed and configured LLM provider keys.
SkillWard is a security scanner built to check AI agent skills, the plugins or add on tools that AI agents can install and run, for malicious behavior before they get published or deployed. The project points to research showing that running several existing scanners on the same set of skills produced wildly inconsistent results, with agreement across all of them in only a tiny fraction of cases, which suggests current tools alone are not reliable enough. To address this, SkillWard uses three stages. The first stage runs static analysis, scanning a skill's code and configuration files with pattern matching rules that catch known attack signatures such as credential theft attempts, code injection, hidden files, and obfuscated payloads. The second stage uses an AI language model to reason about what a skill is actually trying to do, and assigns it a safety confidence score. Skills that remain uncertain after these first two stages move to a third stage, where SkillWard actually runs the skill inside an isolated Docker container with no access to the outside network, and watches its real behavior as it executes. Fake planted credentials act as bait, drawing out any skill that tries to steal data, hide a backdoor, or perform a supply chain attack that would otherwise only appear once the code is actually running. Testing against five thousand real world skills found that roughly a quarter were flagged as unsafe, and among the suspicious ones sent through to the sandbox, about a third revealed genuine runtime threats that scanners relying only on code review missed entirely. The tool ships with its own web interface, supports scanning a single skill or a whole batch at once, offers three separate scan modes of differing depth, and produces reports pointing to specific files along with suggested fixes. It is released under the Apache 2.0 license.
A three stage security scanner that checks AI agent skills for malicious behavior before they are published.
Mainly Python. The stack also includes Python, Docker, YARA.
Free to use, modify, and distribute, including commercially, as long as you keep the copyright notice.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.