SafeSkill Launches AI Security Scanner to Detect Code Exploits and Prompt Injection in AI Skills

Summary

SafeSkill has introduced a security scanning tool that analyzes AI skills and packages for code exploits and prompt injection vulnerabilities before installation. The platform has already scanned over 10,000 AI skills and offers a multi-layer protection system using AST-based static analysis with taint tracking to detect malicious code and manipulation attempts hidden in skill definitions and content templates.

The tool operates through a three-layer protection mechanism that identifies vulnerabilities missed by manual review, including detecting data flow from sensitive sources to network sinks across files and uncovering manipulation attempts in README files and content templates. Scans complete in under 3 seconds with no sign-up required, and users can access the service via command line for npm packages and MCP servers.

SafeSkill addresses a critical trust gap in the AI supply chain, where MCP servers and AI skills run with full user permissions and can access files, API keys, and make network requests. The platform aims to shift the paradigm from blind trust to verification-based security for AI tool adoption.

• MCP servers and AI skills present significant security risks as they run with full user permissions and can access files and API keys

Editorial Opinion

SafeSkill addresses a genuine and underappreciated security vulnerability in the rapidly expanding AI tooling ecosystem. As AI agents and skills become increasingly integrated into development workflows, the ability to quickly verify package safety before installation is essential. The speed of scanning and frictionless verification model could establish a new baseline for responsible AI tool adoption.