https://github.com/mondoohq/skillcheck
Scan your machine for malicious AI agent skills — supports Claude Code, OpenAI Codex, and more.
https://github.com/mondoohq/skillcheck
agent-skills ai-security claude-code devsecops mondoo openai-codex prompt-injection security-scanner supply-chain-security
Last synced: about 1 month ago
JSON representation
Scan your machine for malicious AI agent skills — supports Claude Code, OpenAI Codex, and more.
- Host: GitHub
- URL: https://github.com/mondoohq/skillcheck
- Owner: mondoohq
- License: apache-2.0
- Created: 2026-04-15T20:21:28.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-04-19T16:20:34.000Z (about 1 month ago)
- Last Synced: 2026-04-19T22:02:04.059Z (about 1 month ago)
- Topics: agent-skills, ai-security, claude-code, devsecops, mondoo, openai-codex, prompt-injection, security-scanner, supply-chain-security
- Language: Go
- Homepage: https://mondoo.com/ai-agent-security
- Size: 626 KB
- Stars: 2
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# skillcheck
Scan your machine for malicious AI agent skills in seconds.
```bash
npx @mondoohq/skillcheck
```
skillcheck detects locally installed AI agent skills, computes SHA-256 checksums, and checks them against the [Mondoo AI Agent Security](https://mondoo.com/ai-agent-security) database — covering prompt injection, credential theft, data exfiltration, and 25+ other threat categories across 1,200+ known skills.
## Supported Agents
| Agent | What's Detected |
|-------|-----------------|
| [Claude Code](https://docs.anthropic.com/en/docs/claude-code) | skills, plugins, MCP servers |
| [OpenAI Codex](https://openai.com/index/introducing-codex/) | skills, plugins, MCP servers |
More agents (Cursor, GitHub Copilot, Goose, Gemini CLI, Windsurf, Zed) are coming soon.
## Usage
```bash
# Scan all detected agents
npx @mondoohq/skillcheck
# JSON output for CI/CD pipelines
npx @mondoohq/skillcheck --json
# Verbose output with full hashes and report URLs
npx @mondoohq/skillcheck --verbose
```
### CI/CD Integration
skillcheck exits with code **1** when critical or high-risk skills are found, making it easy to use as a gate:
```yaml
# GitHub Actions
- run: npx @mondoohq/skillcheck
```
```bash
# Any CI pipeline
npx @mondoohq/skillcheck --json --no-color
```
### Other Install Methods
```bash
# Install globally via npm
npm i -g @mondoohq/skillcheck
```
Binaries for macOS, Linux, and Windows are also available on [GitHub Releases](https://github.com/mondoohq/skillcheck/releases).
## What Gets Checked
For each detected agent, skillcheck:
1. Discovers installed skills, plugins, MCP servers, and rules
2. Computes a SHA-256 content hash for each skill
3. Queries the [Mondoo skill database](https://mondoo.com/ai-agent-security/skills) for known threats
4. Reports findings with severity, summary, and a link to the full security report
Skills that aren't in the database yet show as clean — skillcheck fails open, never blocks your workflow.
## Links
- [Mondoo AI Agent Security](https://mondoo.com/ai-agent-security)
- [Skill Database](https://mondoo.com/ai-agent-security/skills) — browse 1,200+ analyzed skills
- [Security Checks](https://mondoo.com/ai-agent-security/checks) — 25+ threat categories