mondoohq/skillcheck

GitHub: mondoohq/skillcheck

一款用于扫描本地AI代理技能并对比威胁数据库的安全检测工具。

Stars: 2 | Forks: 0

# skillcheck Scan your machine for malicious AI agent skills in seconds. ``` npx @mondoohq/skillcheck ``` ![skillcheck demo](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/e72e0520d0030825.gif) skillcheck detects locally installed AI agent skills, computes SHA-256 checksums, and checks them against the [Mondoo AI Agent Security](https://mondoo.com/ai-agent-security) database — covering prompt injection, credential theft, data exfiltration, and 25+ other threat categories across 1,200+ known skills. ## 受支持的代理 | Agent | What's Detected | |-------|-----------------| | [Claude Code](https://docs.anthropic.com/en/docs/claude-code) | skills, plugins, MCP servers | | [OpenAI Codex](https://openai.com/index/introducing-codex/) | skills, plugins, MCP servers | More agents (Cursor, GitHub Copilot, Goose, Gemini CLI, Windsurf, Zed) are coming soon. ## 安装 ``` # 直接运行（无需安装） npx @mondoohq/skillcheck # 或全局安装 npm i -g @mondoohq/skillcheck ``` Binaries for macOS, Linux, and Windows are also available on [GitHub Releases](https://github.com/mondoohq/skillcheck/releases). ## 用法 ``` # 扫描所有检测到的代理 skillcheck # 用于 CI/CD 管道的 JSON 输出 skillcheck --json # 带完整哈希和报告 URL 的详细输出 skillcheck --verbose ``` ### CI/CD 集成 skillcheck exits with code **1** when critical or high-risk skills are found, making it easy to use as a gate: ``` # GitHub Actions - run: npx @mondoohq/skillcheck ``` ``` # 任意 CI 流水线 npx @mondoohq/skillcheck --json --no-color ``` ## 检查内容 For each detected agent, skillcheck: 1. Discovers installed skills, plugins, MCP servers, and rules 2. Computes a SHA-256 content hash for each skill 3. Queries the [Mondoo skill database](https://mondoo.com/ai-agent-security/skills) for known threats 4. Reports findings with severity, summary, and a link to the full security report Skills that aren't in the database yet show as clean — skillcheck fails open, never blocks your workflow. ## 链接 - [Mondoo AI Agent Security](https://mondoo.com/ai-agent-security) - [Skill Database](https://mondoo.com/ai-agent-security/skills) — browse 1,200+ analyzed skills - [Security Checks](https://mondoo.com/ai-agent-security/checks) — 25+ threat categories

标签：AI代理安全, AI安全, API安全, Chat Copilot, Claude Code, EVTX分析, GitHub Actions, JSON输出, MCP服务器检测, MITM代理, Mondoo, npm全局安装, npx, OpenAI Codex, SEO: AI安全扫描, SEO: 恶意AI技能, SHA-256校验, 威胁数据库, 开源安全工具, 恶意技能检测, 技能检查, 提示注入, 插件检测, 数据可视化, 数据外泄, 文档结构分析, 本地扫描, 自动笔记, 逆向工程平台, 集群管理