Every AI agent skill goes through a 3-layer security pipeline (static analysis, dependency audit, and human review) before being published. A safe alternative to unvetted registries like ClawHub.
Automated code scanning for security vulnerabilities, malicious code, and dangerous patterns
Vulnerability checking of external libraries and dependencies
Manual security review by experienced experts
Every skill tarball is run through Tank's 6-stage security pipeline, from quarantined ingestion to full dependency audit.
Downloads and isolates the skill tarball in a sandboxed environment
Validates package structure, file types, and manifest integrity
Scans source code using Bandit and Semgrep for vulnerabilities and unsafe patterns
Detects prompt injection attacks, role hijacking, and manipulation patterns
Identifies exposed credentials, API keys, and sensitive data using detect-secrets
Audits all dependencies for known CVEs via the OSV database
Powered by Tank Security Scanner
The trust score is calculated based on five criteria
| Tier | Range | Description |
|---|---|---|
| Verified | 90 - 100 | Passed all security checks and full human review |
| Trusted | 70 - 89 | Passed automated scans and partial review |
| Community | 50 - 69 | Passed basic automated scans, awaiting extended review |
| Partially Verified | 0 - 49 | Passed basic review but has limited community activity and usage data |
See how Skills IL's security approach compares to other skill repositories
| Feature | Skills IL | Others |
|---|---|---|
| Static code analysis | Yes | Limited |
| Dependency vulnerability scanning | Yes | Partial |
| Human security review | Yes | No |
| Trust scoring system | Yes | No |
| Hebrew-first content review | Yes | No |
| Israeli security experts | Yes | No |
| 6-stage deep security pipeline | Yes | No |
Found a security vulnerability? Report it to us responsibly.
Report a Security Vulnerability