Scan Agent Skill packages for security threats using multi-agent AI analysis
Project description
Enkrypt AI Skill Sentinel
A security scanner for Agent Skill packages. Skill Sentinel uses multi-agent AI analysis to detect prompt injection, data exfiltration, command injection, malware, and other threats hiding in skill packages for Cursor, Claude Code, Codex, and OpenClaw.
Agent Skills extend AI coding assistants with custom instructions and scripts โ but they also create a new attack surface. A single malicious skill can steal credentials, inject hidden prompts, exfiltrate code, or execute arbitrary commands. Skill Sentinel catches these threats before they reach your agent.
Supported Platforms
 Cursor |
 Claude Code |
 Codex |
 OpenClaw |
and other agents |
Key Features
๐ Multi-Agent Security Pipeline
Specialized agents work together to analyze Skills from multiple angles โ manifest inspection, file verification, cross-referencing, and threat correlation.
๐ฆ Built-in Malware Detection
Automatic VirusTotal integration scans binary files (executables, archives, PDFs) for known malware before any LLM analysis begins.
๐ No Truncation Limits
Reads complete file contents without arbitrary cutoffs โ catching malicious instructions hidden deep in documentation where other scanners stop looking.
๐ Cross-File Threat Correlation
Detects sophisticated attacks that span multiple files by tracking data flows and verifying that script behavior matches documented claims.
๐ฏ AI Agent Attack Detection
Purpose-built for prompt injection, command injection, credential theft, and other threats specific to AI coding assistants.
โก Parallel Bulk Scanning
Scan entire directories of Skills concurrently with organized reports โ audit all your Cursor, Claude Code, Codex, and OpenClaw Skills in one command.
Installation
Requires Python >= 3.10, < 3.14.
From PyPI
pip install skill-sentinel
Or using uv (recommended):
uv pip install skill-sentinel
From Source
For development or local modifications:
# Clone the repository
git clone https://github.com/enkryptai/skill-sentinel.git
cd skill-sentinel
# Install with uv (recommended)
uv venv --python 3.13 .venv
source .venv/bin/activate
uv pip install -e .
# Or install with pip
pip install -e .
Quick Start
# 1. Export your OpenAI API key
export OPENAI_API_KEY="sk-..."
# 2. (Optional) Export your VirusTotal API key for binary malware scanning
export VIRUSTOTAL_API_KEY="your-vt-api-key"
# 3. Scan a skill directory
skill-sentinel scan /path/to/skill/directory
Alternatively, create a .env file in the project root instead of exporting variables:
cp .env.example .env
# Edit .env with your keys
Usage
skill-sentinel scan [provider] [OPTIONS]
Positional:
provider cursor / claude / codex / openclaw to auto-discover that
provider's skills, or omit to discover all.
Can also be a direct path to a skill directory.
Path flags (mutually exclusive):
--skill PATH Scan a single skill directory.
--dir PATH Scan all skill subdirectories inside a parent directory.
Options:
-o, --output PATH Single scan: output file (default: report.json).
Multi-scan: output directory (default: ./skill_sentinel_reports).
--parallel Scan multiple skills in parallel (5 concurrent).
-m, --model MODEL OpenAI model to use (default: gpt-4.1).
--api-key KEY OpenAI API key (prefer OPENAI_API_KEY env var).
-V, --version Show version and exit.
Examples
# Scan a single skill directory
skill-sentinel scan --skill ./my-skill
skill-sentinel scan --skill ./my-skill -o report.json
# Scan all skills inside a parent directory
skill-sentinel scan --dir ./all-my-skills/
skill-sentinel scan --dir ./all-my-skills/ -o ./reports/
# Scan in parallel (5 concurrent)
skill-sentinel scan --dir ./all-my-skills/ --parallel
# Auto-discover and scan ALL skills from cursor, claude, codex, and openclaw paths
skill-sentinel scan
# Auto-discover only Cursor skills, in parallel
skill-sentinel scan cursor --parallel
# Scan only Claude skills
skill-sentinel scan claude
# Custom output directory for auto-discovery
skill-sentinel scan codex -o ./my-reports/
# Use a different model
skill-sentinel scan --skill ./my-skill -m gpt-4o
Auto-Discovery
When no path is given (or a provider keyword is used), the scanner searches these well-known locations for skill directories containing a SKILL.md:
| Location | Scope |
|---|---|
.cursor/skills/ |
Project-level (Cursor) |
.claude/skills/ |
Project-level (Claude) |
.codex/skills/ |
Project-level (Codex) |
skills/ |
Agent workspace-level (OpenClaw) |
~/.cursor/skills/ |
User-level global (Cursor) |
~/.claude/skills/ |
User-level global (Claude) |
~/.codex/skills/ |
User-level global (Codex) |
~/.openclaw/skills/ |
User-level global (OpenClaw) |
Reports are saved as <provider>__<skill_name>.json in ./skill_sentinel_reports/ (or the directory specified with -o).
Programmatic Usage
from skill_sentinel.main import scan
report = scan("/path/to/skill", output_path="report.json", model="gpt-4.1")
print(report["overall_risk_assessment"]["skill_verdict"])
What It Does
The scanner performs a multi-step security analysis:
- File Discovery โ lists all files in the skill directory (static, no LLM).
- VirusTotal Binary Scan (optional) โ if binary files (executables, archives, images, PDFs, etc.) are found and a
VIRUSTOTAL_API_KEYis set, each binary is checked against VirusTotal's malware database via SHA-256 hash lookup. Results are passed to the report synthesizer. - SKILL.md Analysis โ an agent reads the SKILL.md manifest and instructions, looking for prompt injection, trust abuse, discovery abuse, and other threats.
- File Verification (conditional) โ if the skill contains scripts or referenced files beyond SKILL.md, a second agent reads each file and checks alignment with SKILL.md claims, searching for command injection, data exfiltration, hardcoded secrets, obfuscation, etc.
- Report Synthesis โ a final agent combines all findings (including VirusTotal results), filters false positives, prioritizes findings, and produces a structured JSON report.
Malware Scanning (VirusTotal)
If a VIRUSTOTAL_API_KEY environment variable is set, Skill Sentinel automatically scans binary files found in skill packages against VirusTotal's malware database. This runs before the agent pipeline โ no LLM calls are needed.
Supported binary types: executables (.exe, .dll, .so, .dylib, .bin), archives (.zip, .tar, .gz, .7z, .rar), documents (.pdf, .doc, .xls), images (.png, .jpg, .gif), JVM/WASM (.jar, .war, .wasm, .class), and more.
Getting a free API key: Sign up at virustotal.com โ the free tier allows 500 lookups/day, which is more than enough for skill scanning.
Output
The scanner writes a JSON report containing:
skill_pathโ absolute path to the scanned skill directoryvalidated_findingsโ confirmed threats with severity, evidence, remediationfalse_positivesโ dismissed findings with reasoningpriority_orderโ ranked list of finding IDscorrelationsโ related findings grouped togetherrecommendationsโ actionable next stepsreferencesโ VirusTotal scan links and other reference URLsoverall_risk_assessmentโ risk level, verdict (SAFE / SUSPICIOUS / MALICIOUS), reasoningtoken_usageโ LLM token usage metrics for the scan
Project Structure
skill_scanner_package/
โโโ pyproject.toml # Package build config
โโโ README.md
โโโ src/skill_sentinel/
โโโ __init__.py # Package version
โโโ cli.py # CLI entry point
โโโ main.py # Programmatic API
โโโ crew.py # Multi-agent crew definition
โโโ config/
โ โโโ agents.yaml # Agent definitions
โ โโโ tasks.yaml # Task definitions
โโโ data/
โ โโโ threat_categories.md # Threat taxonomy
โ โโโ report_schema.json # Output JSON schema
โโโ tools/
โโโ custom_tool.py # ReadFile & Grep tools
โโโ file_discovery.py # Static file listing
โโโ virustotal_tool.py # VirusTotal binary malware scanning
Environment Variables
| Variable | Description | Default |
|---|---|---|
OPENAI_API_KEY |
Your OpenAI API key (required) | โ |
OPENAI_MODEL_NAME |
Model to use for analysis | gpt-4.1 |
VIRUSTOTAL_API_KEY |
VirusTotal API key for binary malware scanning (optional) | โ |
Threat Categories
Skill Sentinel detects the following threat categories, mapped to OWASP Top 10 for LLM Applications 2025 and OWASP Top 10 for Agentic Applications:
| Category | Severity | Description |
|---|---|---|
| Prompt Injection | HIGHโCRITICAL | Override attempts, mode changes, policy bypass hidden in SKILL.md |
| Transitive Trust Abuse | HIGH | Instructions that delegate trust to external/untrusted data sources |
| Data Exfiltration | CRITICAL | Network calls that steal credentials, files, or environment variables |
| Command Injection | CRITICAL | Dangerous eval(), exec(), os.system(), shell injection |
| Hardcoded Secrets | CRITICAL | API keys, passwords, private keys embedded in code |
| Obfuscation | HIGH | Base64 blobs + exec, hex-encoded payloads, deliberately unreadable code |
| Unauthorized Tool Use | HIGH | Code that violates the skill's own allowed-tools declaration |
| Skill Discovery Abuse | HIGH | Brand impersonation, keyword baiting, misleading descriptions |
| Tool Chaining Abuse | HIGH | Multi-step workflows that read sensitive data then transmit it |
| Resource Abuse | MEDIUM | Infinite loops, unbounded memory allocation, recursive bombs |
| Autonomy Abuse | MEDIUM | Unsolicited activation, unbounded retries, no user confirmation |
| Over-Collection | MEDIUM | Disproportionate data access relative to stated purpose |
| Cross-Context Bridging | MEDIUM | Accessing data from other sessions, conversations, or workspaces |
| Dependency Risk | MEDIUM | Unpinned pip install, typosquatting, unknown GitHub repos |
| Malware | MEDIUMโCRITICAL | Binary files flagged by VirusTotal or unverifiable binaries |
Contributing
Contributions are welcome! To get started:
- Fork the repository
- Create a feature branch (
git checkout -b feature/my-feature) - Set up the development environment:
uv venv --python 3.13 .venv
source .venv/bin/activate
uv pip install -e .
- Make your changes
- Submit a pull request
License
This project is licensed under the Apache License 2.0.
Copyright 2025 Enkrypt AI, Inc.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file skill_sentinel-0.1.1.tar.gz.
File metadata
- Download URL: skill_sentinel-0.1.1.tar.gz
- Upload date:
- Size: 35.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7a5f7348f52188fff7cddab13be5826e2a017852fee2be52067b628a1111ea0c
|
|
| MD5 |
31598f5a31411d151bff82e346aba818
|
|
| BLAKE2b-256 |
a0e88584b88d8a9f7ca8894c1e5ec2085c2e3543ccfdc37878fb6fa8fe9456a1
|
File details
Details for the file skill_sentinel-0.1.1-py3-none-any.whl.
File metadata
- Download URL: skill_sentinel-0.1.1-py3-none-any.whl
- Upload date:
- Size: 42.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4bf848dae466d7a00c2a5f8c1fd1c938834193c94ff81295aa99a3934749ddb4
|
|
| MD5 |
fed1edfb32ca2508839e8340117cf16c
|
|
| BLAKE2b-256 |
8e32230306522baf6a12521320b13d12eed023a29c4a595cca009b24f41604ed
|
