Security scanner for AI agent skills and instruction artifacts

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for bvkr from gravatar.com bvkr

Unverified details

These details have not been verified by PyPI
Meta
  • Author: skill-scanner
  • Requires: Python >=3.11
  • Provides-Extra: all , openai , virustotal
Report project as malware

Project description

skill-scanner

skill-scanner reviews AI skill and instruction artifacts for security risk using:

  • OpenAI analysis
  • VirusTotal analysis

Requirements

  • Python 3.11+
  • uv
  • OpenAI and/or VirusTotal API key (at least one)

Install (from source)

uv sync --all-extras --group dev

Run with:

uv run skill-scanner --help

Alias:

uv run skillscan --help

What gets scanned

By default, discover and scan detect common skill/instruction files (for example SKILL.md, AGENTS.md, *.instructions.md, *.prompt.md, .mdc, and related artifacts).

Use --path to target a specific file or folder.

Quick start

# See targets
uv run skill-scanner discover --format json

# Verify key/model configuration
uv run skill-scanner doctor

# Run a combined scan (if both keys are configured)
uv run skill-scanner scan --format summary

Key configuration and analyzer selection

scan requires at least one analyzer enabled.

  • If only OPENAI_API_KEY is available, AI runs and VT is disabled.
  • If only VT_API_KEY is available, VT runs and AI is disabled.
  • If both keys are available, VT findings are included and VT context is passed into AI analysis.
  • You can disable either analyzer with --no-ai or --no-vt.

API key safety

Never commit API keys. This repository ignores .env by default.

Option 1: Shell environment variables

export OPENAI_API_KEY="..."
export VT_API_KEY="..."
uv run skill-scanner scan --format summary

Option 2: Local .env file

OPENAI_API_KEY=...
VT_API_KEY=...

Then run:

uv run skill-scanner doctor
uv run skill-scanner scan --format summary

Option 3: 1Password secret references (recommended)

Use 1Password secret references instead of plaintext secrets in .env:

OPENAI_API_KEY=op://Engineering/OpenAI/api_key
VT_API_KEY=op://Engineering/VirusTotal/api_key

Run the scanner through 1Password CLI so references are resolved at runtime:

op run --env-file=.env -- uv run skill-scanner scan --format summary

Security best practice:

  • Prefer a 1Password Service Account scoped to only the vault/items required for scanning (least privilege).

Reference:

Output formats

scan --format supports:

  • table (default)
  • summary
  • json
  • sarif

You can write output to a file with --output <path>.

Useful commands

# List providers
uv run skill-scanner providers

# Scan one path only
uv run skill-scanner scan --path ./some/skill/folder --format summary

# Filter to medium+
uv run skill-scanner scan --min-severity medium --format summary

# Non-zero exit if high+ findings exist
uv run skill-scanner scan --fail-on high --format summary

Exit behavior

  • 0: scan completed and fail threshold not hit
  • 1: --fail-on threshold matched
  • 2: no analyzers enabled (for example missing keys combined with flags)

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for bvkr from gravatar.com bvkr

Unverified details

These details have not been verified by PyPI
Meta
  • Author: skill-scanner
  • Requires: Python >=3.11
  • Provides-Extra: all , openai , virustotal

Release history Release notifications | RSS feed

0.3.2

0.3.1

0.3.0

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

skill_scanner-0.1.0.tar.gz (126.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

skill_scanner-0.1.0-py3-none-any.whl (28.7 kB view details)

Uploaded Python 3

File details

Details for the file skill_scanner-0.1.0.tar.gz.

File metadata

  • Download URL: skill_scanner-0.1.0.tar.gz
  • Upload date:
  • Size: 126.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for skill_scanner-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0091a148b249107eef1f777b75c539655e0ced1433d89a719d822626278a59f9
MD5 4042247ddf33fa03dd5a8d9b498f0ac1
BLAKE2b-256 b693278a50f483fe3ace1f8c35bca454254887a4dcf7dcd0a50aa9c320f0895f

See more details on using hashes here.

Provenance

The following attestation bundles were made for skill_scanner-0.1.0.tar.gz:

Publisher: release.yml on thedevappsecguy/skill-scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file skill_scanner-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: skill_scanner-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 28.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for skill_scanner-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b88ed95dcc7969e3d222ad49384962028377d5d212d61498c4157b977a08743f
MD5 352c6d64e91922466cc5247f493b56ba
BLAKE2b-256 43d45b8cf1396b6f1b891b5b2e0e9eee2656cbad9adbc9b9a6016a3b641a6f7d

See more details on using hashes here.

Provenance

The following attestation bundles were made for skill_scanner-0.1.0-py3-none-any.whl:

Publisher: release.yml on thedevappsecguy/skill-scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page