Free scanner · AI agent skills

Scan the files your coding agent obeys.

Connect GitHub or upload a zip. EarlyCore reads SKILL.md, repo instructions, rules, MCP manifests, hooks, and helper scripts. If a skill says it deploys Lambda, we check for credential reads, remote downloads, IAM changes, and Terraform runs outside the expected folder.

Use it before installing a third-party skill, approving a repo rule, or letting an agent run a helper script. Prefer not to connect GitHub? Upload a zip instead.

Before-use checks

If a skill says it can do something, we check the files and tools it asks your agent to use.

Useful skills need real access. The scanner shows whether that access matches the job: commands, URLs, hooks, manifests, MCP tools, and repo paths.

Before a skill deploys to AWS

If it says it can deploy a Lambda, we check for shell commands that read AWS credentials, download scripts, change IAM policy, or run Terraform outside the expected folder.

Before a docs helper reads your repo

If it says it only summarizes docs, we check whether it also asks the agent to call MCP tools, follow remote URLs, run local scripts, or inspect files outside the docs path.

Before a review skill comments on code

If it says it reviews pull requests, we check for instructions that hide findings, skip security files, auto-approve tool calls, or tell the agent not to mention certain failures.

Before a helper script runs

If the skill ships scripts, we check entry points, encoded payloads, curl-to-shell install steps, git hooks, launch files, and comments that carry extra agent instructions.

Why scan them first

Attackers do not need to compromise the model if they can compromise the files it obeys.

AI coding agents read skills and repo instructions before they act. That turns files like SKILL.md, AGENTS.md, CLAUDE.md, .cursor/rules, .mcp.json, hooks, and helper scripts into inputs your agent may follow without a human reading every line first. Agent Skills Scanner finds the mismatch between the skill's stated purpose and the actions it asks your agent to take.

Hidden instructions

Invisible Unicode, encoded payloads, and comments that tell the agent to ignore normal review steps or conceal what it found.

MCP overreach

MCP servers that expose shell, browser, GitHub, database, or cloud tools beyond what the skill description says it needs.

Persistence hooks

Hooks and scripts that fetch remote code, change local config, or keep running through repo files after the original prompt is gone.

Secrets in instructions

Tokens, keys, passwords, and internal URLs pasted into skills, rules, or helper files that every agent is encouraged to read.

How it works

From repo to fix plan in three steps.

Use it before a developer approves a new skill: see the exact file, the instruction or command that triggered the finding, and the edit that would make it safer.

  1. 01

    Connect GitHub or upload a zip.

    Pick the repos you want to scan, or keep GitHub out of the loop and upload only the skills, rules, manifests, and scripts you want checked.

  2. 02

    We inspect the instructions and helpers.

    We compare what the skill says it does with what it asks for: shell commands, MCP tools, external URLs, repo paths, hooks, encoded text, and secrets.

  3. 03

    You get the risk and the fix.

    Each finding shows the risky file, why it matters, the suggested edit, a corrected snippet where useful, and an effort estimate for triage.

Supported agent files

Built for the AI agents your developers already use.

The scanner recognises skill files, repo instructions, rules folders, MCP manifests, hooks, and helper scripts across the agent tools your developers already use. A docs helper reading /docs is normal; the same helper asking for shell, GitHub write access, or files under .aws/ gets flagged.

Supported agent surfaces

Claude CodeCursorGitHub CopilotWindsurfCodexClineRooAiderGeminiAmazon QKiroJunieGooseContinueAgents.md2 manifest variants

Repo access

Read-only GitHub access, zip upload if you prefer.

We mint a short-lived read-only GitHub install token at scan time, clone what you selected, and discard the token when the clone finishes. Every report also shows what was and was not covered, so security and compliance teams can judge the result properly.

Read-only by default

The scan does not need write access to your repo.

Token expires quickly

GitHub access is capped at a 60-minute maximum lifetime.

No long-lived credentials

We do not store persistent GitHub repo credentials in our database.

Zip upload alternative

Upload only the config files if you do not want to connect a repo.

Part of Red Team

Skills Scanner checks the files your agent will read. Red Team tests the live endpoint and agent behavior.

Agent Skills Scanner and live Red Team scans share the same Scans view, severity model, remediation style, and audit trail. Start free with skill and repo checks. Move to endpoint and agent testing when you need evidence for clients or auditors.

Explore Red Team

Run the free scan

Find risky agent skills before your team starts using them.

Connect GitHub, choose a repo, and see which skills, rules, MCP manifests, and helper scripts deserve review before your team relies on them.