Every claim ties to a specific rule, a specific rubric version, and a specific finding's hashed evidence. Reproducible by any third party offline.
Five sub-scores, each capped at 100 and penalised per finding, combine by a fixed weight into one aggregate.
round(0.35·Security + 0.20·Supply Chain + 0.15·Maintenance +
0.15·Transparency + 0.15·Community)
Each sub-score = max(0, 100 − Σ per-finding penalty). Because
security is only 35% of the weight, a serious flaw would otherwise be averaged
away — so a single active critical finding caps the
whole aggregate at 15, and an active high at
45. This severity ceiling keeps a security failure in the red
band no matter how clean the other axes are.
Every check we run is spelled out here — what it looks for, why it matters, how serious it is, and how to fix it, with each rule mapped to the OWASP LLM Top 10, MITRE ATLAS, and CWE where it applies. Search by name, severity, or framework, then export the list as CSV.
This hook runs automatically on an agent event, with no chance for you to review it first. The spotted command the flagged value pipes whatever the remote server returns at that moment straight into a shell — if the URL is ever compromised, attacker code runs on your machine.
regex `(?i)\b(?:curl|wget|fetch|invoke-webrequest|iwr)\b[^|;\n]*\|\s*(?:bash|sh|zsh|fish|powershell|pwsh|cmd|python|node|perl|ruby)\b` against .claude/hooks/**, hooks/**, **/*.hook.sh, **/*.hook.ps1, **/*.hook.bat, **/SessionStart*, **/SessionEnd*, **/PreToolUse*, **/PostToolUse*
This hook runs automatically on an agent event, with no chance for you to stop it. The spotted command the flagged value recursively force-deletes a root, home, or variable-expanded path — if the path resolves wrong at runtime, it irreversibly destroys data.
regex `(?i)\brm\s+(?:-[rRfF]+\s+|--recursive\s+|--force\s+)+(?:/(?:\s|$|\*|[a-zA-Z][a-zA-Z0-9/_-]*)|\$\w+|~/?\s*$|"\$\{?\w+\}?")` against .claude/hooks/**, hooks/**, **/*.hook.sh, **/*.hook.ps1, **/SessionStart*, **/SessionEnd*, **/PreToolUse*, **/PostToolUse*
An MCP tool's description is read by the agent as trusted instructions. This one embeds bidirectional-override characters (the flagged value) so the manifest renders one thing to a human reviewer but tokenizes a different, reordered instruction to the agent.
regex `[\u{202A}-\u{202E}\u{2066}-\u{2069}]` against tools/manifest.json, **/tools/manifest.json, manifest.json, **/server.py, **/server.ts, **/server.js, **/*.toolmanifest.json
An MCP tool's description is injected into the agent's context as trusted instructions. This one runs past 2000 characters — far beyond the 100–500 a real tool needs — room to bury reasoning chains or system-prompt overrides a human reviewer skims past.
regex `(?is)"description"\s*:\s*"[^"]{2000,}"` against tools/manifest.json, **/tools/manifest.json, manifest.json, **/*.toolmanifest.json
This server publishes a tool whose name (the flagged value) uses an "internal/private" naming convention. The agent still sees and may invoke it, but a human reviewing the manifest skips over names that visually signal "not for me" — letting a hidden tool act unreviewed.
regex `(?is)"name"\s*:\s*"[^"]*(?:_internal|__|\.hidden|_meta|_sys)[^"]*"` against tools/manifest.json, **/tools/manifest.json, manifest.json, **/*.toolmanifest.json
An MCP tool's description is fed into the agent's context as trusted instructions. This one hides invisible plane-14 tag characters (the flagged value) the agent tokenizes as commands, while a human reading the manifest sees the description unchanged.
regex `[\u{E0000}-\u{E007F}]` against tools/manifest.json, **/tools/manifest.json, manifest.json, **/server.py, **/server.ts, **/server.js, **/*.toolmanifest.json
This plugin references the AWS credentials file or the access-key fields stored inside it (the flagged value). Those are long-lived keys with broad cloud access, so any code that reads them can hand your whole AWS account to whatever it contacts next.
regex `(?i)(~/.aws/credentials|~/.aws/config|/\.aws/credentials|aws_access_key_id|aws_secret_access_key|aws_session_token)` against **/*.py, **/*.ts, **/*.js, **/*.mjs, **/*.cjs, **/*.go, **/*.rb, **/*.java
This plugin reads from the environment (where API keys, tokens, and AWS credentials live) and also makes outbound network calls. When both sit in the same code, a secret read from the env can be packed into a request and sent off the machine the moment the plugin runs.
AND of 2 sub-triggers
A GitHub token (the flagged value) is committed directly into this plugin's source. Anyone who reads the repo — including everyone who installs the plugin — gets the token, so it must be treated as already compromised.
regex `\b(?:ghp_[A-Za-z0-9]{36}|github_pat_[A-Za-z0-9_]{82}|gho_[A-Za-z0-9]{36}|ghu_[A-Za-z0-9]{36}|ghs_[A-Za-z0-9]{36}|ghr_[A-Za-z0-9]{36})\b` against **/*.py, **/*.ts, **/*.js, **/*.mjs, **/*.cjs, **/*.go, **/*.rb, **/*.java, **/*.md, **/*.json, **/*.yaml, **/*.yml
A rules file is injected verbatim into every agent prompt. Unicode tag-channel codepoints like the flagged value render as nothing to a human reviewer but are tokenized as text by the model — so hidden instructions steer every session while staying invisible in any editor or diff.
regex `[\u{E0000}-\u{E007F}]` against .cursorrules, .cursor/rules/**, .windsurfrules, .windsurf/rules/**, .continuerules, CONTINUE.md, **/rules.md, **/RULES.md
A Right-to-Left Override or isolate character (U+202A–U+202E, U+2066–U+2069) reorders how the line displays without changing what the tokenizer reads — the Trojan Source trick. The file can look harmless to you while injecting hostile instructions at the token level, and the deception survives copy-paste into a sandbox.
regex `[\u{202A}-\u{202E}\u{2066}-\u{2069}]` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md, **/*.py, **/*.ts, **/*.js, **/*.sh
Plane-14 tag characters (U+E0000–U+E007F) render as absolutely nothing to a person reading the file in any editor, yet every LLM tokenizer turns them into real tokens. An attacker can hide a whole second instruction in them — telling the agent to drop its safety rules or exfiltrate data — that no reviewer ever sees in the source.
regex `[\u{E0000}-\u{E007F}]` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md
This hook runs automatically on an agent event. The spotted command the flagged value Base64-decodes a blob and pipes it straight into a shell — encoding that hides the real commands from review, with no legitimate reason for a hook to obscure its own plain text.
regex `(?i)\b(?:echo|printf)\s+["']?[A-Za-z0-9+/=]{32,}["']?\s*\|\s*(?:base64\s+(?:-d|--decode)|openssl\s+base64\s+-d)\s*\|\s*(?:bash|sh|zsh)\b|\bbase64\s+(?:-d|--decode)\s+<<<\s*["'][A-Za-z0-9+/=]{32,}["']\s*\|\s*(?:bash|sh)\b` against .claude/hooks/**, hooks/**, **/*.hook.sh, **/SessionStart*, **/PreToolUse*, **/PostToolUse*
This hook runs automatically on an agent event. The spotted command the flagged value uses eval on command-substituted or variable content — the actual code is assembled at runtime from values not visible in the source, defeating any static review.
regex `(?i)\beval\s+["']?\$\(.*\)|\beval\s+["']?[^"'\n]*\$\{?\w+\}?[^"'\n]*["']?|\bsource\s+<\(.+\)` against .claude/hooks/**, hooks/**, **/*.hook.sh, **/SessionStart*, **/PreToolUse*, **/PostToolUse*
This hook runs automatically on an agent event. The spotted command the flagged value wires a shell to an outbound TCP socket (netcat or /dev/tcp) — a reverse shell that hands an attacker persistent, interactive access to your machine the moment it runs.
regex `(?i)\b(?:nc|netcat|ncat|socat)\s+(?:-[a-z]+\s+)*\S+\s+\d+|/dev/tcp/\S+/\d+|bash\s+-i\s+>&\s*/dev/tcp/` against .claude/hooks/**, hooks/**, **/*.hook.sh, **/SessionStart*, **/PreToolUse*, **/PostToolUse*
This hook runs automatically on an agent event. The spotted command the flagged value invokes sudo in a way that skips the password prompt (a piped password, -n/-S, or NOPASSWD) — so it can run as root without you ever confirming.
regex `(?i)\bsudo\s+(?:-[ASEnk]+\s+)?\b|\becho\s+["']?\$[A-Z_]+["']?\s*\|\s*sudo\s+-S\b|\bNOPASSWD\b` against .claude/hooks/**, hooks/**, **/*.hook.sh, **/SessionStart*, **/PreToolUse*
The server's source spawns processes (e.g. subprocess, child_process, exec()) but its manifest never declares that capability, so the consuming client can't warn the user that this server may run shell commands on their machine.
AND of 2 sub-triggers
An MCP tool's description is read by the agent as trusted instructions. This manifest packs three or more invisible zero-width characters (the flagged value) that the agent tokenizes but a human reviewer cannot see — a way to smuggle hidden instructions past review.
regex `[\u{200B}-\u{200D}\u{2060}\u{FEFF}]` against tools/manifest.json, **/tools/manifest.json, manifest.json, **/*.toolmanifest.json
This plugin references an SSH private-key path or a private-key file header (the flagged value). An SSH private key authenticates you to servers and Git remotes, so code that reads it can impersonate you wherever that key is trusted.
regex `(?i)(~/.ssh/id_rsa|~/.ssh/id_ed25519|~/.ssh/id_ecdsa|/\.ssh/id_[a-z]+|BEGIN\s+(?:RSA|OPENSSH|DSA|EC)\s+PRIVATE\s+KEY)` against **/*.py, **/*.ts, **/*.js, **/*.mjs, **/*.cjs, **/*.go, **/*.rb, **/*.java
This plugin embeds a chat-platform or request-capture webhook URL (the flagged value). Webhooks are the classic exfiltration drop: a plugin collects env, files, or system info and posts it to a hardcoded endpoint the attacker watches.
regex `(?i)https://(?:hooks\.slack\.com/services/|discord(?:app)?\.com/api/webhooks/|outlook\.office\.com/webhook/|api\.telegram\.org/bot|webhook\.site/|requestcatcher\.com/|pipedream\.com/|n8n\.cloud/|zapier\.com/hooks/)\S+` against **/*.py, **/*.ts, **/*.js, **/*.mjs, **/*.cjs, **/*.go, **/*.rb, **/*.java, **/*.md, **/*.json, **/*.yaml, **/*.yml
A base64 string of 128+ characters appears in a documentation file. Encoded prompt injection hides the hostile instruction in base64 — invisible to keyword filters — and relies on the agent's ability to decode it at runtime. There is no normal authoring reason to embed a multi-hundred-byte base64 blob in skill docs.
regex `(?<![A-Za-z0-9+/=])(?:[A-Za-z0-9+/]{4}){32,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?(?![A-Za-z0-9+/=])` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md, **/CLAUDE.md
A fenced bash/python block in SKILL.md carries a natural-language imperative — "now run this", "execute the following command" — directing the agent to execute the fenced content. What looks like documentation becomes an executable payload the agent may run without ever asking you.
regex `(?ms)^```(?:bash|sh|zsh|powershell|pwsh|cmd|python|node|js|ts)\s*$\s+(?:.*?\b(?:please|now|then|next|first)\s+(?:run|execute|invoke|call|trigger)\b.*?|.*?(?:run|execute|invoke|call|trigger)\s+(?:this|the\s+(?:above|below|following))\s+(?:command|code|script)\b.*?)```` against **/*.md, **/SKILL.md
A hex string of 256+ characters appears in a documentation file — well above a single SHA-256 hash (64 chars). Like its base64 sibling, hex-encoding hides a hostile instruction from keyword filters while staying trivially decodable by the agent at runtime.
regex `(?i)(?<![0-9a-f])([0-9a-f]{256,})(?![0-9a-f])` against **/*.md, **/*.yaml, **/*.yml, **/SKILL.md, **/CLAUDE.md
The text the flagged value is the classic direct prompt-injection phrasing. Placed in a skill body that the agent reads as trusted instructions, it tries to make the agent abandon its prior rules and follow whatever comes next — a full system-prompt override.
regex `(?i)\b(ignore|disregard|forget|override)\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?|system\s+prompts?)\b` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md
The phrase the flagged value matches a known role-override jailbreak — DAN, "developer mode", "jailbroken", "unrestricted", or an evil/malicious persona. Embedded in a skill, it tries to push the agent into an adversarial role that drops its safety constraints, without the person running the skill realizing it.
regex `(?i)\b(you\s+are|act\s+as|pretend\s+(to\s+be|you\s+are)|roleplay\s+as)\s+(DAN|developer\s+mode|jailbroken|unrestricted|uncensored|an?\s+(evil|malicious|harmful|amoral)\s+\w+)\b` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md
Zero-width spaces and joiners (U+200B–U+200D, U+2060, U+FEFF) are invisible to a human reading the file but are emitted as distinct tokens by the agent's tokenizer. Several of them clustered together — this rule fires on three or more — can carry a hidden instruction past a reviewer who sees only ordinary text.
regex `[\u{200B}-\u{200D}\u{2060}\u{FEFF}]` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md
This hook runs automatically on an agent event. The spotted command the flagged value grants world-writable permissions (777 / a+rwx) — breaking least-privilege and leaving the files open for any other process on the system to tamper with.
regex `(?i)\bchmod\s+(?:-R\s+)?(?:777|a\+rwx|o\+rwx|0?777)\b` against .claude/hooks/**, hooks/**, **/*.hook.sh, **/SessionStart*, **/PreToolUse*, **/PostToolUse*
A rules file is loaded verbatim into the agent as standing instructions for every session. A non-disclosure imperative like the flagged value steers the agent to conceal behaviour, hide tool calls, or withhold information on every prompt — never appearing in any single conversation you'd review.
regex `(?im)^\s*(?:•|-|\*|\d+\.)\s*(?:always|never|must|do\s+not|don[’']t|under\s+no\s+circumstances)\s+(?:reveal|disclose|share|leak|tell\s+(?:the\s+)?(?:user|anyone)|mention)\b` against .cursorrules, .cursor/rules/**, .windsurfrules, .windsurf/rules/**, .continuerules, CONTINUE.md, **/rules.md, **/RULES.md
A rules file is loaded verbatim into the agent. A word like the flagged value mixes Cyrillic, Greek, or mathematical look-alike letters with Latin ones — it reads normally to you but is distinct text to the model, letting an instruction evade keyword review while still steering the session.
regex `[\u{0400}-\u{04FF}\u{1D400}-\u{1D7FF}\u{0370}-\u{03FF}](?:[a-zA-Z]|[\u{0400}-\u{04FF}\u{1D400}-\u{1D7FF}\u{0370}-\u{03FF}]){4,}` against .cursorrules, .cursor/rules/**, .windsurfrules, .windsurf/rules/**, .continuerules, CONTINUE.md, **/rules.md, **/RULES.md
The text the flagged value tells the agent to skip the normal "ask the user first" gate. Used adversarially it removes the human-in-the-loop check before destructive or sensitive actions, turning a normally-gated agent into a fire-and-forget executor.
regex `(?i)\b(do\s+not|don[’']t|never|no\s+need\s+to)\s+(ask|confirm|prompt|request\s+permission|wait\s+for\s+approval|seek\s+consent|verify\s+with\s+the\s+user)\b` against **/*.md, **/SKILL.md, **/CLAUDE.md
Long runs of emoji — especially with variation selectors and zero-width joiners — tokenize in model-specific ways that can encode an instruction while reading as harmless decoration to a person. This rule flags ten or more consecutive emoji, a length that is rare in genuine documentation but common in this obfuscation technique.
regex `(?u)(?:[\U0001F300-\U0001F9FF☀-➿]\u{FE0F}?\u{200D}?){10,}` against **/*.md, **/*.yaml, **/*.yml, **/SKILL.md, **/CLAUDE.md
A word can look like plain English while secretly containing Cyrillic, Greek, or mathematical letters that are visually identical to ASCII — Cyrillic 'а' for Latin 'a', Greek 'ο' for 'o'. This rule flags mixed-script words of five or more characters, a technique used to slip past keyword filters while reading normally to a person.
regex `[\u{0400}-\u{04FF}\u{1D400}-\u{1D7FF}\u{0370}-\u{03FF}](?:[a-zA-Z]|[\u{0400}-\u{04FF}\u{1D400}-\u{1D7FF}\u{0370}-\u{03FF}]){4,}` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md, **/CLAUDE.md
A bulleted imperative like the flagged value tells the agent to never reveal, disclose, or mention something to the user. Used adversarially it can instruct the agent to hide its tool calls or lie about what it did — stripping the transparency a user relies on to trust the agent.
regex `(?im)^\s*(?:•|-|\*|\d+\.)\s*(?:always|never|must|do\s+not|don[’']t|under\s+no\s+circumstances)\s+(?:reveal|disclose|share|leak|tell\s+(?:the\s+)?(?:user|anyone)|mention)\b` against **/*.md, **/SKILL.md, **/CLAUDE.md
The text the flagged value asks the agent to disclose its hidden system prompt or initial instructions. That is often the first step of a larger attack: knowing the system prompt lets an attacker craft inputs that defeat its constraints by mimicking its own voice.
regex `(?i)\b(repeat|reveal|output|print|show|tell\s+me)\s+(your|the)\s+(system\s+prompt|initial\s+instructions?|original\s+prompts?|hidden\s+instructions?|prompt\s+template)\b` against **/*.md, **/*.yaml, **/*.yml, **/*.json, **/SKILL.md
This hook's repo has the matches or fewer contributors. A small maintainer pool is the classic takeover target — compromising one account, or persuading them to transfer ownership, lets an attacker push a malicious update that every consumer runs automatically.
contributor_count lte 5
This server's file content hashes differ from a prior scan with no matching CHANGELOG or release note. That's the rug-pull signature: a trusted server quietly updated to introduce exfiltration, persistence, or tool-poisoning after consumers learned to trust it.
metadata stars exists true
This server's name is within one character (Levenshtein distance 1) of an established registry entry. It may be a legitimate fork — or a typosquat hoping a user fat-fingers the install command and pulls a hostile server instead of the trusted one.
metadata registry_listings_count gte 1
The account publishing this hook is less than 90 days old. New accounts that publish and disappear are a known supply-chain pattern — and a hook runs with your privileges automatically, so an unestablished author warrants extra scrutiny before you trust it.
metadata owner_age_days lt 90
No signature file (Sigstore, GPG, or minisign) is present in the repo, so a consumer can't verify the install bytes match what the maintainer actually published — leaving the "someone swapped the tarball" attack class open.
no file at **/*.sig or **/*.minisig or **/cosign.pub or **/SIGNATURES or **/.signatures.yaml
The repository ships a CI workflow file but the default branch has no branch protection requiring it to pass. "Has CI" then implies "tests pass on main" when nothing actually enforces that, so a green badge can mask regressions merged into the default branch.
AND of 2 sub-triggers
The default branch has had no commit in more than 365 days. That points to either abandonment or a finished project at steady state — and stale code accumulates unfixed CVEs and compatibility drift over time.
last_commit_age_days gt 365
The default branch saw fewer than three commits in the trailing 90 days. Read alongside the last-commit-age signal, low recent activity suggests the project may not keep pace with bug reports or dependency updates.
commit_freq_90d lt 3
Across issues opened in the last 12 months, the median time to a first maintainer response exceeds 30 days (720 hours). That means bug reports — including security reports — are unlikely to get a timely reply.
issue_response_p50_hours gt 720
Across a 12-month window, more than 80% of opened issues are still open (open / (open + closed)). That suggests issues are being filed faster than they get resolved, so a report you file may sit unresolved.
open_issue_ratio gt 0.8
This rules repository has no README. Because rule files are injected verbatim into the agent's context, an undocumented set forces consumers to read every file to learn its intent, scope, and behaviour — making hidden or surprising instructions easy to miss.
no file at README.md or README or .cursor/rules/README.md or .windsurf/rules/README.md
No LICENSE file was found. Without one, the artifact is "all rights reserved" by default under copyright law, which leaves you with no clear right to redistribute, modify, or even install it depending on your compliance posture.
no file at LICENSE or LICENSE.md or LICENSE.txt or COPYING or COPYING.md or LICENCE or LICENCE.md
This capability has no SKILL.md (or skill.yaml/.yml/.json) manifest. The manifest is what declares the skill's purpose, inputs, and behavior contract, so without it you cannot tell what the skill does or how it behaves without reading every file in the repo.
no file at SKILL.md or **/SKILL.md or skill.yaml or skill.yml or skill.json
No CHANGELOG file was found. Without a record of what changed between releases, you cannot tell a benign patch from a behavior- or license-changing update without reading the diff yourself.
no file at CHANGELOG.md or CHANGELOG or CHANGELOG.txt or CHANGES.md or HISTORY.md
No README file was found. The README is the canonical entry point that explains what an artifact does; without it you would have to read the source or run it speculatively to find out — both unacceptable for code that auto-installs into an agent context.
no file at README.md or README or README.rst or README.txt
No SECURITY.md was found (checked the repo root, .github/, and docs/). Without one there is no stated way to report a vulnerability, which versions are supported, or how quickly the maintainer commits to respond — the baseline for responsible disclosure on code that runs in privileged agent contexts.
no file at SECURITY.md or .github/SECURITY.md or docs/SECURITY.md
This hook has fewer than the matches forks. Low fork counts can hint at limited community use or little third-party validation, but they are a noisy proxy — many sound hooks are rarely forked because they need no customization. This is context only and does not affect the score.
metadata fork_count lt 3
This server appears on at least two independent registries (such as the MCP Registry, Smithery, Glama, PulseMCP, or mcp.so), a community-adoption signal that several curators independently chose to list it. It's reference context only and does not affect the score.
metadata registry_listings_count gte 2
This rules repository has fewer than 5 GitHub stars. Stars are a noisy proxy for community adoption and review; a low count means fewer people have vetted these rules before they were injected into an agent's context. This is context only and does not affect the score.
metadata stars lt 5
Only one contributor is detected. Shown as community context only — solo projects are common and often legitimate, so this signal carries weight 0 and does not affect the score. It lets you weigh the bus-factor risk before deep integration.
contributor_count eq 1
The repository has under 10 GitHub stars. This is shown as community context only — stars are an easily-manipulated, low-quality proxy for adoption, so this signal carries weight 0 and does not affect the score.
metadata stars lt 10
Run the same code through SaferSkills twice and you get the same result — every time. Scores come from fixed, published rules, never from an AI model making a judgment call, so anyone can re-check a verdict for themselves and reach the identical answer. No account, no API key, nothing to take on faith.
No black-box findings. When a check flags something, the report shows exactly what was found, where, and which rule caught it — so you can see the reasoning, confirm it yourself, and fix the issue.
Every public verdict is appealable. Maintainers commit a verification
token to .saferskills/verify.txt in their repo; once verified,
they can submit a public response that appears alongside their findings.
Re-scans triggered within 1 hour of any push.
The vendor right-of-reply form at
/items/<slug>/respond walks through the verification
flow. Findings are never silently deleted — appealed findings carry the
appeal outcome and rationale in the public record.
Try the methodology on your own code — ~30 seconds, no account, full report at a permalink.