Skill Provenance
Vet a third-party agent skill before you install or run it. Checks provenance, license, pinning, hidden or injected instructions, dependency/supply-chain risks, and dangerous capabilities — then returns RUN / REVIEW / DO NOT RUN.
About
Skill Provenance reads a third-party skill before it runs with your agent's hands — and tells you whether to trust it.
Inputs: a skill folder (the one with SKILL.md) or a repo you've already cloned.
Checks: provenance (real, reachable source; pinned to a commit or floating), license (declared, a recognized SPDX id), instruction integrity (injected or override directives in the skill's own text), hidden & obfuscated text (zero-width characters, encoded payloads), capabilities / blast radius (shell, network, secrets, file writes), dependencies & supply chain (install hooks, typosquats, unpinned or off-registry deps), declared-vs-actual (does the code do more than the description admits), exfiltration paths (a secret read plus an outbound call), and trigger scope.
Output: a line-per-check report and one verdict — RUN / REVIEW / DO NOT RUN — with the exact reasons and what to resolve first, plus a machine-readable JSON verdict for CI. Read-only: no network, no credentials.
The install-side gate; its sibling publish-audit is the publish-side one. Marketplaces rank by stars — this ranks by what the code actually does. Read the skill before you run it.
Security-first skill vetting for AI agents. Checks red flags, permission scope, suspicious patterns before install.
Passive domain recon: subdomains, SSL certs, WHOIS, DNS. Python stdlib only.
Supply-chain forensics for GitHub repos: deleted commits, force-pushes, IOCs.