SKILL
SCANNER

What is the explainx SKILL.md vulnerability scanner?

It's a free heuristic static-analysis tool for public GitHub repositories that contain SKILL.md files. It reads the repository tree, finds every SKILL.md file, and checks each one across eight risk categories including command injection, secret exposure, prompt injection, and supply-chain risks. No install required — paste a GitHub URL and scan.

How does it detect prompt injection in AI skills?

The scanner looks for patterns that instruct an AI agent to override its system prompt, ignore previous instructions, or execute arbitrary commands via indirect inputs. These patterns are common in malicious skills designed to hijack AI agents during autonomous task execution.

Can I scan private GitHub repositories?

No — the scanner only supports public GitHub repositories. It reads repository contents via GitHub's public API without requiring authentication.

Is this scanner available for teams outside the US?

Yes. The scanner runs entirely on explainx.ai infrastructure and is accessible globally with no region restrictions. Security teams in the UK, Europe, India, Southeast Asia, and elsewhere use it to vet AI skills before deploying them in their pipelines.

What programming languages and runtimes does the scanner cover?

The scanner is runtime-agnostic — it analyzes the SKILL.md file content itself, not the underlying code. It looks for dangerous instruction patterns across all runtimes (Python, Node.js, Bash, PowerShell, etc.) by matching heuristics within the markdown.