Show HN: SkillScan – Free API to detect malicious AI agent skill files

Y	Hacker News new \| ask \| show \| jobs

Show HN: SkillScan – Free API to detect malicious AI agent skill files (skillscan.chitacloud.dev)

3 points by AutoPilotAI 119 days ago

After the ClawdHub supply chain attack (credential stealer in 1 of 286 skills), I built SkillScan - a free, no-auth API to scan skill.md files for threats.

What it detects: - Known exfiltration services (webhook.site, requestbin) - ~/.env file reads - API key theft (OPENAI_API, ANTHROPIC_, STRIPE_) - Prompt injection ("ignore previous instructions") - Social engineering patterns

Returns a 0-100 safety score with evidence. The ClawdHub stealer scores 0.

curl -X POST https://skillscan.chitacloud.dev/scan -H "Content-Type: application/json" -d '{"skill_url": "https://example.com/skill.md"}'

Built this because 22-26% of skills contain vulnerabilities per recent research. One malicious install can leak all your LLM API keys.