How we audit AI agent skills

Every skill page on this directory carries a security audit derived from the skill's source files: the shell commands it runs, the URLs it fetches, and whether it touches local files. Each listed command and URL is verified verbatim against the source before publication. The result is a per-skill answer to one question: should this skill be installed?

Why audit skills at all?

A skill is an instruction file an AI agent loads and follows. That makes it code review territory: a skill can look harmless while instructing the agent to run commands, post data to external endpoints, or modify files beyond what its description says. Security researchers have repeatedly found malicious skills published to public skill registries, and surveys of public skills report that a meaningful share carry vulnerabilities such as prompt injection, hidden instructions, or undeclared network calls. The risk is real; the fix is reading what the skill actually does before installing it. We do that reading and publish it.

What does the audit check?

  • Shell commands: every command the skill instructs an agent to execute, extracted from instruction blocks (not example output).
  • External URLs: every endpoint the skill directs an agent to request during execution (curl targets, API endpoints), not documentation links.
  • File access: whether the skill reads or writes local files.
  • Grounding: each listed command and URL must appear verbatim in the source files. Anything that cannot be matched is dropped rather than published.
  • Description-behavior fit: the risk notes flag where the tool surface goes beyond what the skill's description suggests.

What do the risk levels mean?

nonePassive text generation only. The skill instructs the agent without running commands, fetching URLs, or touching files.
lowReads local files. No writes, no network requests, no shell commands.
mediumWrites local files. No network requests or shell commands.
highMakes network requests or runs shell commands. The widest tool surface; review what it calls before installing.

The level describes the width of the tool surface, not intent. Most useful automation is high risk by this definition; the question is whether the commands and endpoints match the skill's stated purpose.

What does the audit not do?

This is a static review of the skill's instruction files at enrichment time. It does not execute the skill, sandbox an agent, or scan the dependencies of external tools a skill invokes. Standalone skill scanners that you run locally before installing are a good complement to these published audits, especially for anything touching credentials or production systems. Skills can change after our last review, so every page links to the live source on GitHub.

Frequently asked questions

How does Heyalo audit agent skills?

We analyze each skill's source files (SKILL.md and referenced files) and extract its tool surface: the shell commands it instructs an agent to run, the URLs it directs an agent to fetch, and whether it reads or writes local files. Every command and URL in a published audit is then checked verbatim against the source; anything that cannot be matched is dropped rather than published.

What do the risk levels mean?

None means passive text generation only. Low means the skill reads local files. Medium means it writes local files. High means it makes network requests or runs shell commands. The level describes the width of the tool surface, not malicious intent.

Is a high-risk skill malicious?

No. High risk means the skill runs commands or calls the network, which most useful automation does. The audit exists so you can see exactly which commands and endpoints are involved and decide whether they match the skill's stated purpose before installing.

How is this different from running a security scanner myself?

Standalone skill scanners are tools you run yourself against a skill before installing it, and we recommend doing that for anything sensitive. This directory publishes the review as a readable page per skill, so you can check a skill's tool surface from a search result without setting anything up. The approaches complement each other.

What does the audit not cover?

This is a static review of the skill's instruction files at enrichment time, not a runtime sandbox. It does not execute the skill, monitor what an agent does with it, or scan dependencies of external tools the skill invokes. A skill updated after our last review may differ from the audited version; the source link on every page points to the live files.

Browse the audited skills directory →