TL;DR: AI agent skill marketplaces — ClawHub, the Claude Code skill registry, Cursor's extension store, Windsurf plugins — have no mandatory security vetting. Three categories of tools have emerged to fill the gap: CLI-based static analyzers (Cisco), browser-based scanners (Repello SkillCheck), and manual audit frameworks. This post compares each, maps them to use cases, and explains which threats each one catches.

Why AI Agent Skill Security Is Now a Real Problem

Every major AI coding assistant and autonomous agent platform now supports installable third-party skills, plugins, or extensions. The terminology varies — OpenClaw calls them skills, Claude Code calls them skills, Cursor calls them agent skills or rules, Windsurf has similar extension support — but the security model is identical across all of them.

Third-party skill files are instruction sets that run inside an AI agent with elevated trust. When you install a skill, you are adding a new instruction source that the agent treats as authoritative — equivalent to a system prompt. The agent will follow those instructions alongside your own, often without surfacing the distinction to you.

The ClawHavoc campaign demonstrated what happens when this trust model meets a malicious actor at scale: 335 coordinated malicious skills across the ClawHub marketplace, targeting credentials, establishing reverse shells, and exfiltrating data through legitimate-looking agent behavior. CVE-2026-25253 added a one-click RCE vector that required no skill installation at all.

ClawHavoc targeted OpenClaw. The techniques work everywhere. Security tooling for this space is now necessary, not optional.

The Three Threat Categories Every Scanner Should Cover

Before comparing tools, it is worth being clear about what the threat landscape actually looks like. Three techniques account for the overwhelming majority of malicious skill behavior documented in 2026:

Prompt injection via skill descriptor files. The SKILL.md file (or equivalent in each platform) contains adversarial instructions embedded alongside legitimate ones. The agent follows them without distinguishing them from user intent. No code execution required — the attack surface is the natural language instruction layer itself. Documented in ClawHavoc, OpenClaw skills, and Claude Code skill audits.

Payload delivery via hidden scripts. Malicious skills package shell scripts, Python files, or binaries alongside the descriptor file, then instruct the agent to execute them during normal operation. Standard antivirus misses this because the trigger is the agent's instruction-following behavior, not direct binary execution.

Environment variable exfiltration. Instructions that cause the agent to read shell environment variables ($ANTHROPIC_API_KEY, cloud provider credentials, ~/.ssh paths) and transmit them externally — via URL parameters, API call payloads, or embedded in generated outputs. No subprocess, no binary — purely instruction-level.

A scanner that misses any of these three categories has a meaningful gap.

The Tools

Cisco AI Defense — skill-scanner

GitHub: cisco-ai-defense/skill-scanner (900+ stars, actively maintained) Type: CLI, Python package Install: pip install cisco-ai-skill-scanner Platforms covered: OpenClaw (primary), Cursor Agent Skills, OpenAI Codex

Cisco's scanner is the most technically comprehensive tool in this space. It runs four analysis layers: YAML/YARA signature-based static analysis, bytecode analysis of included scripts and binaries, behavioral dataflow tracing, and LLM-as-judge semantic evaluation of skill intent. The LLM layer (requires an API key) is the most capable at catching novel prompt injection patterns that signatures miss.

Catches: All three threat categories when fully configured. The LLM layer is the difference for sophisticated prompt injection variants.

Misses: Skills that activate conditionally after installation, post-deployment skill updates, runtime anomalous behavior.

Setup requirement: Python 3.10+, installation via pip/uv, three API keys (LLM provider, VirusTotal, Cisco AI Defense) for full capability. Runs static analysis only without the LLM key.

Best for: Security engineers, automated scanning pipelines, organizations that need custom rule authoring and REST API integration.

Repello SkillCheck

URL: repello.ai/tools/skills Type: Browser-based Install: None Platforms covered: Claude Code, OpenClaw, Cursor, Windsurf, any SKILL.md-based format

SkillCheck is a browser-based skill scanner that runs directly in your browser — upload a skill zip, receive a security score (0–100), a verdict (Safe / High / Critical), and a breakdown of detected attack patterns. Built on Repello AI's research into the ClawHavoc campaign and ongoing AI agent security work.

Catches: Prompt injection patterns across all documented variants, environment variable exfiltration instructions, policy violations (skills exceeding their stated scope), payload delivery indicators.

Misses: Custom dataflow analysis at the depth of Cisco's behavioral engine. Not designed for REST API integration or custom rule authoring.

Setup requirement: None. Upload in browser.

What it adds beyond scanning: A catalogue of community-submitted skills with their scan results. Browse pre-scanned skills by severity before downloading — a threat intelligence layer no other tool in this space offers.

Best for: Skill end-users (developers, technical users, IT administrators) who need a fast answer before installation. Non-technical security reviewers. Teams without a Python environment. Anyone evaluating community marketplace skills before use.

VirusTotal

URL: virustotal.com Type: Browser-based Install: None Platforms covered: Any file type

VirusTotal scans file hashes against databases of known malware signatures from 70+ antivirus engines. If a skill zip contains a binary already flagged as malicious by any engine, VirusTotal will surface it. It is fast, widely trusted, and requires no setup.

Catches: Known malware binaries included in skill zips.

Misses: Prompt injection in SKILL.md files (VirusTotal has no concept of AI agent instruction semantics). Novel techniques not yet in malware databases. Instruction-only attacks that involve no binary artifacts.

Best for: A quick first pass for binary artifacts. Use alongside an AI-aware scanner, not instead of one. Cisco's scanner optionally integrates VirusTotal for the binary layer.

Manual SKILL.md Audit

Type: Human review Install: None Platforms covered: Any

Reading the skill's descriptor file before installation is the most fundamental security check and requires no tooling. What to look for:

• Instructions referencing environment variables ($API_KEY, $HOME, $USER, any credential-shaped names)

• Instructions that append parameters to URLs or external service calls

• Trigger conditions that activate on common actions with secondary hidden effects

• Instructions to execute files included in the zip

• External domain references not related to the skill's stated function

• Unicode characters that render as spaces but carry hidden content (used in emoji-based prompt injection)

Five minutes of manual review catches the most obvious malicious skills. It is a complement to automated scanning, not a replacement — sophisticated techniques like conditional activation and obfuscated patterns are beyond what visual inspection reliably catches.

Comparison at a Glance

What No Pre-Installation Scanner Catches

All three tools share the same fundamental limitation: they analyze skills at a point in time, before installation. Two threat vectors operate entirely outside this window:

Post-deployment skill updates. A skill that scans clean today can be updated by its author tomorrow to include malicious behavior. You installed a clean version; you are now running a compromised one. No pre-installation scanner can catch this.

Runtime anomalous behavior. A skill can be designed to behave cleanly during testing and activate its payload only under production conditions — when specific environment variables are present, after a number of activations, or at a target date. Pre-installation scanning tests the skill as written; it cannot simulate all execution contexts.

Runtime monitoring addresses both gaps. ARGUS monitors agent behavior in production — flagging when an installed skill begins behaving outside its expected scope, regardless of what pre-installation scanning showed. For enterprise environments where agents have access to production credentials, internal APIs, and sensitive data, runtime monitoring is not optional.

For the automated red teaming layer — understanding what attack paths exist across your full agentic stack before an attacker finds them — ARTEMIS provides that coverage at the infrastructure level.

Where to Start

If you are an individual developer evaluating a skill before installation: SkillCheck is the fastest path — no setup, browser-based, 60 seconds.

If you are a security engineer building a scanning pipeline: Cisco's scanner offers the programmatic interface, custom rule authoring, and depth of analysis your workflow likely requires.

If you are a security team responsible for AI agent deployments at an organization: pre-installation scanning is step one, not the complete picture. Get in touch with Repello to understand the full threat model.

FAQ

Which AI agent skill scanner is the most accurate? Accuracy depends on what threat model you're optimizing for. Cisco's LLM-as-judge layer can catch novel, custom-crafted payloads that static rules miss — but only if you've configured an LLM API key and have the engineering capacity to operate it. SkillCheck's detection is backed by Repello's research team, who update the threat intelligence database daily, plus crowdsourced intel from the security community. That means SkillCheck's coverage on real-world marketplace threats — the kind hitting production environments today — is continuously current, not a static snapshot. For bespoke enterprise environments building custom evasion-resistant payloads in a lab, Cisco's LLM layer has depth. For the threat landscape as it actually exists in community marketplaces, SkillCheck's live threat intel is the more operationally relevant signal.

Do any of these scanners work for MCP servers? MCP servers present a related but distinct attack surface — tool poisoning, tool shadowing, and data exfiltration via tool responses rather than skill descriptor files. Separate tooling exists for MCP security scanning (mcp-scan and related tools). Repello's MCP Gateway addresses MCP visibility and control at the infrastructure level. None of the skill scanners reviewed here are designed for MCP server analysis.

Is there a scanner built specifically for Cursor agent skills? SkillCheck was built platform-agnostic from the start — any SKILL.md-based skill zip works, regardless of which IDE or marketplace generated it. That includes Cursor, Claude Code, Windsurf, GitHub Copilot Extensions, and OpenClaw. Cisco lists Cursor as a supported format, but its documentation and rule sets are primarily OpenClaw-focused. If you're in a multi-platform environment with Cursor, Claude Code, and OpenClaw agents running alongside each other, SkillCheck's platform-agnostic coverage is the more relevant choice.

Can a skill scanner tell me if a skill is definitively safe? No scanner can guarantee a skill is safe. Scanners detect known attack patterns and suspicious indicators — they do not provide a clean bill of health for skills using novel evasion techniques, conditional payloads, or post-installation updates. A Safe verdict means no detected patterns; it does not mean the skill is provably benign. Treat scanner results as risk reduction, not risk elimination. Enterprise teams that need continuous monitoring beyond pre-installation scanning should look at runtime security — ARGUS catches anomalous agent behavior in production that no pre-installation scan can surface.

My team wants continuous skill monitoring across our agent fleet — is SkillCheck available for enterprise use? SkillCheck at repello.ai/tools/skills is available for individual scans today. For teams that need continuous monitoring, automated pipeline integration, or threat intel feeds across a larger agent deployment, contact Repello — enterprise-grade skill security is exactly what ARTEMIS and ARGUS are built for.