How is the trust score calculated?

Calculated across 6 criteria: code quality (25%), permissions (20%), data handling (20%), publisher reputation (15%), maintenance (10%), documentation (10%). Skills are rated 0-100.

What are the security layers?

A 3-layer pipeline: automated static analysis, dependency scanning, and human expert review.

What does "signed release" mean?

A Sigstore attestation generated automatically by GitHub Actions when a new release is cut, without long-lived keys. The signature is recorded in the public Rekor transparency log. This lets you verify a specific skill version was produced by the actual repository, not a malicious fork.

How do I verify a skill before installing?

Every skill page shows a Security Scorecard with 17 signals from GitHub Security (secret scanning, code scanning, branch protection, signed releases, and more). Skills with the "Verified ✓" badge pass all 5 Critical signals.

Whats the difference between this and the Tank scanner?

Tank scans the skill content for secrets, vulnerabilities, and prompt injection. GitHub Verification checks the repositorys settings and the supply-chain integrity (who signed the release, whether tags are protected). The two are complementary.

Can I install a skill at a specific version?

Yes. When signed_release passes, the install command pins to a specific release tag (e.g. v1.2.3) instead of master. This guarantees the same content every time, even if the repository changes later.

How do I report a vulnerability?

Email security@agentskills.co.il.

Security Methodology

Every AI agent skill goes through a 3-layer security pipeline (static analysis, dependency audit, and human review) before being published. A safe alternative to unvetted registries like ClawHub.

How we secure skills

Every skill passes three independent checks before its trust score and tier are computed: automated code analysis by three independent scanners (Snyk Agent Scan, Cisco Skill Scanner, and Tank), supply-chain verification against the agentskills.io spec + GitHub Security signals, and a manual review by the skills-il team. Each check is detailed below.

Three Independent Security Scanners

Every skill and MCP runs through three different scanners before publication. Each one looks at a different angle, so a single missed signal doesn't mean a missed vulnerability. Results from all three appear on every skill's detail page under "Security Analysis".

Snyk Agent Scan

LLM-based scan for prompt injection, data exfiltration, credential theft, and obfuscated payloads.

Cisco Skill Scanner

Static and behavioral analysis of skill content and scripts.

Tank Security Scanner

6-stage deep scan: ingestion, structure validation, static analysis, injection detection, secrets scanning, and dependency audit.

6-Stage Deep Security Scanning

Every skill tarball is run through Tank's 6-stage security pipeline, from quarantined ingestion to full dependency audit.

Ingestion & Quarantine

Downloads and isolates the skill tarball in a sandboxed environment

Structure Validation

Validates package structure, file types, and manifest integrity

Static Code Analysis

Scans source code using Bandit and Semgrep for vulnerabilities and unsafe patterns

Injection Detection

Detects prompt injection attacks, role hijacking, and manipulation patterns

Secrets Scanning

Identifies exposed credentials, API keys, and sensitive data using detect-secrets

Dependency Audit

Audits all dependencies for known CVEs via the OSV database

GitHub Verification

Every skill in the directory is checked against the open agentskills.io specification plus GitHub Security signals. Results appear on each skill's page as a Security Scorecard and Version & Provenance block. MCP servers have a separate trust pipeline and are not covered by GitHub Verification.

Critical (5)

Five must-pass signals: spec compliance, secret scanning, code scanning, signed release, and a declared license. When all five pass, the skill earns a green Verified badge.

Recommended (9)

Nine additional signals that reflect repo hygiene: tag protection, branch protection, signed commits, SECURITY.md, MFA, CODEOWNERS, Dependabot, matching semver, and a version-pinned install command.

Bonus (2)

Two polish signals: recent release (<180 days) and release tree matching the default branch HEAD.

What does 'Verified ✓' mean?

A skill earns the Verified badge only when all five Critical signals pass. That means a Sigstore attestation signed by a GitHub Actions workflow in the skills-il organization, with secret scanning + code scanning enabled and an SPDX license declared.

How the signals are collected

Release and version signals refresh on every push. Repo-settings signals (secret scanning, code scanning, MFA, branch protection) refresh weekly via a GitHub Actions workflow. Spec compliance is verified by running `gh skill publish --dry-run` against the agentskills.io specification.

Read GitHub's announcement of `gh skill` →

Submitting your own skill?

Walk through the 5 Critical signals with copy-paste setup steps for your repo.

Verification checklist

Manual review

Before a skill goes live, the skills-il team reviews it for spec compliance, content quality, and any obvious red flags. This is not a deep security audit (Tank and GitHub verification do the automated heavy lifting), but it's a final human gate on what ships to the catalog.

Trust Score Breakdown

The trust score is calculated based on five criteria

Code Analysis

40%

Dependency Audit

20%

Community Reviews

20%

Maintenance

10%

Documentation

10%

Trust Tier Table

Tier	Range	Description
Verified	90 - 100	Passed all security checks and full human review
Trusted	70 - 89	Passed automated scans and partial review
Community	50 - 69	Passed basic automated scans, awaiting extended review
Partially Verified	0 - 49	Passed basic review but has limited community activity and usage data

How We Compare

See how Skills IL's security approach compares to other skill repositories

Feature	Skills IL	Others
Static code analysis	Yes	Limited
Dependency vulnerability scanning	Yes	Partial
Human security review	Yes	No
Trust scoring system	Yes	No
Hebrew-first content review	Yes	No
6-stage deep security pipeline	Yes	No

Important: this reduces risk, it does not guarantee safety

All the scans, verifications, and reviews above reduce risk, they don't eliminate it. We can't guarantee that any given skill will work correctly, stay safe over time, or won't be misused.

Why there's no guarantee

Some skills and MCPs are written by our team and others are contributed externally, and either way the author can update what they shipped at any time. Design systems are all written in-house.
Every skill's dependencies change, and new vulnerabilities are discovered in them constantly.
New attack techniques (prompt injection, supply-chain, etc.) appear faster than any scanner can cover.
Human review looks for obvious red flags, not every line of code.
Skills run inside your agent with whatever permissions you grant it. What they actually do depends on your local context, files, and accounts.

Your responsibility

Before installing a skill, MCP, or design system, especially one that touches your files, accounts, API keys, or sensitive data, read SKILL.md yourself, review the code on GitHub, minimize the permissions you grant the agent, and run it in a sandboxed environment when possible. Use of anything on this site is at your own risk.

See the Terms of Service for full details

Vulnerability Reporting

Found a security vulnerability? Report it to us responsibly.

Report a Security Vulnerability