Every AI capability, independently audited againstPrompt Injection.

Send an AI Skill, MCP or Hook — get a transparent security report in thirty seconds. One unified catalog. One install command to manage capabilities across eight agents.

01FindIndexing

Search the catalog.

All the skills, MCPs, and plugins indexed from every public registries. One unified search to find them all.

Popular

Browse catalog12,847 indexed · 12 registries

02AuditRunning

Scan a new skill.

Drop a SKILL.md or .zip, or paste a public GitHub URL. Full security report in ~30s. Free. No account.

Drag a file or .zip here, or click to browse

One file, a .zip, or several files · max 10 MiB · .zip .md .json .yaml .yml .toml .txt .js .ts .py .sh

Make results public

Private results are unlisted, link-only, and expire in 90 days.

Scan a skillavg 28s

12,847 indexed
76/100 median
55 detection rules
30s p95 · free · no account

Install · 03

Scan, score & install — any agent

One binary, all eight agents, every OS. Audit what you already have, inspect any capability, and install or update skills, MCP servers & hooks — safely, in a single command.

saferskills install—Claude Code

AGENTS · 8

~/saferskills/install/claude-code

$ npx saferskills install github-mcp --to claude-code

SaferSkills

v0.1.0 · An OpenLatch project

github-mcp ● Green 87/100

✓ Installed to ~/.claude/skills/github-mcp/

✓ Updated ~/.claude/settings.json

Done. github-mcp is available in Claude Code.

↑ Switch commands in the strip — install · scan · list · info · the agent rail picks your install target · also try ⧉ Copy command in the terminal header.

alice · skill · 2 findings

Live signal · 04

What the network is touching, right now.

Recent scans and weekly install momentum, anonymized. No personal data — just the shape of community attention.

Open full feed →

tana · skill · 1 finding

96/100 · Green band

1.2k installs / wk

▁▂▂▃▅▇█

88/100 · Green band

873 installs / wk

▁▂▃▃▄▆▇

84/100 · Green band

612 installs / wk

▁▁▂▃▄▅▆

WHY(5) SaferSkills — Five Reasons It Earns The URL

Name

Five reasons it earns the URL.

Find · Install · Verify · Monitor · Trust. Each pillar earns its row — and the metrics underneath.

Read the methodology →

Unified catalog across 12+ registries.GitHub, npm, PyPI, MCP Registry, mcp.so, Smithery, Glama, PulseMCP, ClawHub, skillsmp, skills.sh, ClaudeSkills, SkillHub. One search instead of twelve.

12,847indexedupdated hourlyopen methodology

One command across all eight agent platforms.macOS, Windows, Linux — no agent-specific config to learn. The score is re-verified at install time so you never install based on a stale page.

8 / 8agents3OSes · one binarynpm package

Independent, transparent, open-source scoring.55 deterministic detection rules across five categories. Every finding cites a rule ID and an evidence line — not "AI thinks this is bad," only reproducible facts.

55rules · Apache 2.0community PRs welcomerule index

Watch any skill.Drift alerts when content changes. Risk alerts when the score drops ≥10 points. Weekly digests of trending items in your watched categories. Throttled, GDPR-compliant, one-click unsubscribe.

email-gated≤ 5alerts / dayaccount self-deletion

No browser fingerprinting. No cross-site tracking.Vendor right-of-reply with a 1-hour re-scan SLA. Privacy policy reviewed by external counsel; aggregated IP-ASN data only, fully disclosed.

privacy policy reviewed by counselprivacy policy

SEE ALSO · scoring(7) · privacy(5) · github

Detection · 06

The attacks we name.

BiDi smuggling. curl piped to bash. AWS credential exfil. Hidden MCP tools. Fifty-seven deterministic detectors run on every scan — open rubric, reproducible, every finding cites the line of code that tripped it.

10 RED · execution & exfil 31 ORANGE · injection & supply chain 16 YELLOW · hygiene & transparency Deterministic · Open Source

PROMPT INJECTION

Invisible Unicode Injection

▸U+E0000–E007F

SS-SKILL-INJECT-UNICODE-TAG-01

Base64-Encoded Payload

▸base64 ≥128 chars

SS-SKILL-INJECT-B64-PAYLOAD-01

PROMPT INJECTION

Jailbreak / Role Override

▸/you are now|act as/i

SS-SKILL-INJECT-ROLE-01

PROMPT INJECTION

Homoglyph Confusable

▸Latin ↔ Cyrillic mix

SS-SKILL-INJECT-HOMOGLYPH-01

PROMPT INJECTION

Autonomy Override (“don't ask”)

▸/don'?t\s+(ask|confirm|wait)/i

SS-SKILL-INJECT-DONT-ASK-01

Missing Changelog

▸CHANGELOG.md absent

SS-SKILL-TRANSPARENCY-CHANGELOG-01

Stale Default Branch

▸last commit >180d

SS-SKILL-MAINTENANCE-COMMIT-RECENCY-01

Unresolved Issue Backlog

▸open/closed ≥0.5

SS-SKILL-MAINTENANCE-OPEN-ISSUE-RATIO-01

Single-Author Repo

▸contributors = 1

SS-SKILL-COMMUNITY-CONTRIBUTORS-01

MCP: Zero-Width Poisoning

▸U+200B–D in tool desc

SS-MCP-POISON-ZWSP-01

Undeclared Subprocess Capability

▸spawn/exec without manifest decl

SS-MCP-CAP-UNDECLARED-01

Unsigned MCP Release

▸no sigstore/cosign attestation

SS-MCP-SUPPLY-CHAIN-UNSIGNED-01

Destructive rm -rf

▸rm -rf / $VAR ~

SS-HOOKS-RCE-RMRF-01

World-Writable Permissions

▸chmod 777 / o+w

SS-HOOKS-RCE-CHMOD-WIDE-01

Owner-Transfer Signal

▸repo owner Δ <90d

SS-HOOKS-SUPPLY-CHAIN-OWNER-XFER-01

PROMPT INJECTION

Non-Disclosure Imperative

▸/don'?t (mention|disclose|reveal)/i

SS-RULES-INJECT-IMPERATIVE-01

Rules: Missing Documentation

▸rule lacks frontmatter

SS-RULES-TRANSPARENCY-MANIFEST-01

CREDENTIAL EXFIL

AWS Credential Theft

▸~/.aws/credentials

SS-PLUGIN-SECRET-EXFIL-AWS-FILES-01

CREDENTIAL EXFIL

Webhook Exfiltration

▸POST → discord.com/api/webhooks

SS-PLUGIN-SECRET-EXFIL-WEBHOOK-01

PROMPT INJECTION

Invisible Unicode Injection

▸U+E0000–E007F

SS-SKILL-INJECT-UNICODE-TAG-01

Base64-Encoded Payload

▸base64 ≥128 chars

SS-SKILL-INJECT-B64-PAYLOAD-01

PROMPT INJECTION

Jailbreak / Role Override

▸/you are now|act as/i

SS-SKILL-INJECT-ROLE-01

PROMPT INJECTION

Homoglyph Confusable

▸Latin ↔ Cyrillic mix

SS-SKILL-INJECT-HOMOGLYPH-01

PROMPT INJECTION

Autonomy Override (“don't ask”)

▸/don'?t\s+(ask|confirm|wait)/i

SS-SKILL-INJECT-DONT-ASK-01

Missing Changelog

▸CHANGELOG.md absent

SS-SKILL-TRANSPARENCY-CHANGELOG-01

Stale Default Branch

▸last commit >180d

SS-SKILL-MAINTENANCE-COMMIT-RECENCY-01

Unresolved Issue Backlog

▸open/closed ≥0.5

SS-SKILL-MAINTENANCE-OPEN-ISSUE-RATIO-01

Single-Author Repo

▸contributors = 1

SS-SKILL-COMMUNITY-CONTRIBUTORS-01

MCP: Zero-Width Poisoning

▸U+200B–D in tool desc

SS-MCP-POISON-ZWSP-01

Undeclared Subprocess Capability

▸spawn/exec without manifest decl

SS-MCP-CAP-UNDECLARED-01

Unsigned MCP Release

▸no sigstore/cosign attestation

SS-MCP-SUPPLY-CHAIN-UNSIGNED-01

Destructive rm -rf

▸rm -rf / $VAR ~

SS-HOOKS-RCE-RMRF-01

World-Writable Permissions

▸chmod 777 / o+w

SS-HOOKS-RCE-CHMOD-WIDE-01

Owner-Transfer Signal

▸repo owner Δ <90d

SS-HOOKS-SUPPLY-CHAIN-OWNER-XFER-01

PROMPT INJECTION

Non-Disclosure Imperative

▸/don'?t (mention|disclose|reveal)/i

SS-RULES-INJECT-IMPERATIVE-01

Rules: Missing Documentation

▸rule lacks frontmatter

SS-RULES-TRANSPARENCY-MANIFEST-01

CREDENTIAL EXFIL

AWS Credential Theft

▸~/.aws/credentials

SS-PLUGIN-SECRET-EXFIL-AWS-FILES-01

CREDENTIAL EXFIL

Webhook Exfiltration

▸POST → discord.com/api/webhooks

SS-PLUGIN-SECRET-EXFIL-WEBHOOK-01

PROMPT INJECTION

Trojan Source (BiDi)

▸U+202A–E, U+2066–9

SS-SKILL-INJECT-BIDI-01

Hex-Encoded Payload

▸hex ≥256 chars

SS-SKILL-INJECT-HEX-PAYLOAD-01

PROMPT INJECTION

Fenced-Imperative Run

▸``` (run|exec|execute)

SS-SKILL-INJECT-FENCED-RUN-01

PROMPT INJECTION

System-Prompt Leak Request

▸/print\s+(your\s+)?system/i

SS-SKILL-INJECT-SYS-LEAK-01

Missing Manifest

▸manifest.json absent

SS-SKILL-TRANSPARENCY-MANIFEST-01

Missing SECURITY.md

▸SECURITY.md absent

SS-SKILL-TRANSPARENCY-SECURITY-01

Low Commit Frequency

▸<1 commit / 30d

SS-SKILL-MAINTENANCE-COMMIT-FREQ-01

▸no workflows/ or failing

SS-SKILL-MAINTENANCE-CI-BROKEN-01

MCP: Invisible Unicode

▸U+E0000–E007F in tool desc

SS-MCP-POISON-UNICODE-TAG-01

Oversized Tool Description

▸description ≥2000 chars

SS-MCP-POISON-DESCRIPTION-CREEP-01

Typosquat Candidate

▸Levenshtein ≤1

SS-MCP-SUPPLY-CHAIN-TYPOSQUAT-01

Cross-Registry Listing

▸same slug on 2+ registries

SS-MCP-COMMUNITY-CROSS-REG-01

Unattended sudo

▸sudo without -S / askpass

SS-HOOKS-RCE-SUDO-UNATTENDED-01

Base64-Decoded Shell

▸base64 -d | bash

SS-HOOKS-OBFUSCATION-B64-SHELL-01

New-Account Author

▸account age <30d

SS-HOOKS-SUPPLY-CHAIN-AUTHOR-AGE-01

Rules: Unicode Tag-Channel

▸U+E0000–E007F in .mdc

SS-RULES-OBFUSCATION-UNICODE-TAG-01

Rules: Low Adoption

▸installs <100

SS-RULES-COMMUNITY-INSTALLS-01

CREDENTIAL EXFIL

GitHub Token Leak

▸ghp_ / github_pat_ / gho_

SS-PLUGIN-SECRET-EXFIL-GH-TOKEN-01

PROMPT INJECTION

Excessive-Agency Imperative

▸/must|always|never (ask|confirm)/i

SS-SKILL-INJECT-STRONG-IMPERATIVE-02

PROMPT INJECTION

Trojan Source (BiDi)

▸U+202A–E, U+2066–9

SS-SKILL-INJECT-BIDI-01

Hex-Encoded Payload

▸hex ≥256 chars

SS-SKILL-INJECT-HEX-PAYLOAD-01

PROMPT INJECTION

Fenced-Imperative Run

▸``` (run|exec|execute)

SS-SKILL-INJECT-FENCED-RUN-01

PROMPT INJECTION

System-Prompt Leak Request

▸/print\s+(your\s+)?system/i

SS-SKILL-INJECT-SYS-LEAK-01

Missing Manifest

▸manifest.json absent

SS-SKILL-TRANSPARENCY-MANIFEST-01

Missing SECURITY.md

▸SECURITY.md absent

SS-SKILL-TRANSPARENCY-SECURITY-01

Low Commit Frequency

▸<1 commit / 30d

SS-SKILL-MAINTENANCE-COMMIT-FREQ-01

▸no workflows/ or failing

SS-SKILL-MAINTENANCE-CI-BROKEN-01

MCP: Invisible Unicode

▸U+E0000–E007F in tool desc

SS-MCP-POISON-UNICODE-TAG-01

Oversized Tool Description

▸description ≥2000 chars

SS-MCP-POISON-DESCRIPTION-CREEP-01

Typosquat Candidate

▸Levenshtein ≤1

SS-MCP-SUPPLY-CHAIN-TYPOSQUAT-01

Cross-Registry Listing

▸same slug on 2+ registries

SS-MCP-COMMUNITY-CROSS-REG-01

Unattended sudo

▸sudo without -S / askpass

SS-HOOKS-RCE-SUDO-UNATTENDED-01

Base64-Decoded Shell

▸base64 -d | bash

SS-HOOKS-OBFUSCATION-B64-SHELL-01

New-Account Author

▸account age <30d

SS-HOOKS-SUPPLY-CHAIN-AUTHOR-AGE-01

Rules: Unicode Tag-Channel

▸U+E0000–E007F in .mdc

SS-RULES-OBFUSCATION-UNICODE-TAG-01

Rules: Low Adoption

▸installs <100

SS-RULES-COMMUNITY-INSTALLS-01

CREDENTIAL EXFIL

GitHub Token Leak

▸ghp_ / github_pat_ / gho_

SS-PLUGIN-SECRET-EXFIL-GH-TOKEN-01

PROMPT INJECTION

Excessive-Agency Imperative

▸/must|always|never (ask|confirm)/i

SS-SKILL-INJECT-STRONG-IMPERATIVE-02

PROMPT INJECTION

Zero-Width Smuggling

▸U+200B–D, U+2060, U+FEFF (≥3)

SS-SKILL-INJECT-ZWSP-01

PROMPT INJECTION

“Ignore Previous Instructions”

▸/ignore\s+(all\s+)?previous/i

SS-SKILL-INJECT-IGNORE-01

PROMPT INJECTION

Emoji-Smuggled Instructions

▸VS16 + tag chars

SS-SKILL-INJECT-EMOJI-SMUG-01

PROMPT INJECTION

Imperative Override Pattern

▸/override|disregard|forget/i

SS-SKILL-INJECT-IMPERATIVE-01

Missing License

▸LICENSE absent

SS-SKILL-TRANSPARENCY-LICENSE-01

▸README.md absent

SS-SKILL-TRANSPARENCY-DESCRIPTION-01

Slow Issue Response

▸median response >14d

SS-SKILL-MAINTENANCE-ISSUE-RESPONSE-01

Low Adoption Signal

SS-SKILL-COMMUNITY-STARS-01

MCP: BiDi Poisoning

▸U+202A–E in tool desc

SS-MCP-POISON-BIDI-01

Shadow Tool Registration

▸_internal / __hidden / _meta

SS-MCP-POISON-SHADOW-TOOL-01

Content-Hash Drift (Rug-Pull)

▸content-hash Δ between scans

SS-MCP-SUPPLY-CHAIN-HASH-DRIFT-01

▸curl/wget piped to bash/sh

SS-HOOKS-RCE-CURL-PIPE-01

Reverse Shell / Egress

▸bash -i >& /dev/tcp/

SS-HOOKS-RCE-NET-EGRESS-01

▸eval $(...) / eval "$VAR"

SS-HOOKS-OBFUSCATION-EVAL-01

SS-HOOKS-COMMUNITY-FORK-HEALTH-01

Rules: Homoglyph Confusable

▸Latin ↔ Cyrillic in .mdc

SS-RULES-OBFUSCATION-HOMOGLYPH-01

CREDENTIAL EXFIL

Env Read + Network Call (Exfil)

▸process.env.* → fetch/http

SS-PLUGIN-SECRET-EXFIL-ENV-NET-01

CREDENTIAL EXFIL

SSH Private Key Access

▸~/.ssh/id_* / BEGIN PRIVATE KEY

SS-PLUGIN-SECRET-EXFIL-SSH-01

PROMPT INJECTION

Strong Imperative Pattern

▸/you (must|will|shall)/i

SS-SKILL-INJECT-STRONG-IMPERATIVE-01

PROMPT INJECTION

Zero-Width Smuggling

▸U+200B–D, U+2060, U+FEFF (≥3)

SS-SKILL-INJECT-ZWSP-01

PROMPT INJECTION

“Ignore Previous Instructions”

▸/ignore\s+(all\s+)?previous/i

SS-SKILL-INJECT-IGNORE-01

PROMPT INJECTION

Emoji-Smuggled Instructions

▸VS16 + tag chars

SS-SKILL-INJECT-EMOJI-SMUG-01

PROMPT INJECTION

Imperative Override Pattern

▸/override|disregard|forget/i

SS-SKILL-INJECT-IMPERATIVE-01

Missing License

▸LICENSE absent

SS-SKILL-TRANSPARENCY-LICENSE-01

▸README.md absent

SS-SKILL-TRANSPARENCY-DESCRIPTION-01

Slow Issue Response

▸median response >14d

SS-SKILL-MAINTENANCE-ISSUE-RESPONSE-01

Low Adoption Signal

SS-SKILL-COMMUNITY-STARS-01

MCP: BiDi Poisoning

▸U+202A–E in tool desc

SS-MCP-POISON-BIDI-01

Shadow Tool Registration

▸_internal / __hidden / _meta

SS-MCP-POISON-SHADOW-TOOL-01

Content-Hash Drift (Rug-Pull)

▸content-hash Δ between scans

SS-MCP-SUPPLY-CHAIN-HASH-DRIFT-01

▸curl/wget piped to bash/sh

SS-HOOKS-RCE-CURL-PIPE-01

Reverse Shell / Egress

▸bash -i >& /dev/tcp/

SS-HOOKS-RCE-NET-EGRESS-01

▸eval $(...) / eval "$VAR"

SS-HOOKS-OBFUSCATION-EVAL-01

SS-HOOKS-COMMUNITY-FORK-HEALTH-01

Rules: Homoglyph Confusable

▸Latin ↔ Cyrillic in .mdc

SS-RULES-OBFUSCATION-HOMOGLYPH-01

CREDENTIAL EXFIL

Env Read + Network Call (Exfil)

▸process.env.* → fetch/http

SS-PLUGIN-SECRET-EXFIL-ENV-NET-01

CREDENTIAL EXFIL

SSH Private Key Access

▸~/.ssh/id_* / BEGIN PRIVATE KEY

SS-PLUGIN-SECRET-EXFIL-SSH-01

PROMPT INJECTION

Strong Imperative Pattern

▸/you (must|will|shall)/i

SS-SKILL-INJECT-STRONG-IMPERATIVE-01

Read the full rubric →

Scan a capability.
Read the report.
Decide.

~30 seconds. Free. No account. The report URL is bookmarkable and persists for 90 days.

Submit a capability →Browse catalog