SecureSkillSecureSkill

Developers

Scan agent skills from your terminal, CI/CD pipeline, or any script. Everything you need to integrate SecureSkill programmatically.

CLI

Install the SecureSkill CLI to scan skills from your terminal.

npm install -g @secureskill/cli

Usage

# Scan from any supported marketplace
secureskill scan https://github.com/org/repo/tree/main/skills/my-skill
secureskill scan https://clawhub.ai/publisher/skill-name
secureskill scan https://skills.sh/publisher/skill-collection
secureskill scan https://agentskill.sh/@publisher/skill-name
secureskill scan https://skillsmp.com/skills/skill-name
secureskill scan https://skillsdirectory.com/skills/skill-name
secureskill scan https://lobehub.com/skills/publisher-skill-name
secureskill scan https://skillhub.club/skills/publisher-repo-skill-name

# Scan a local directory
secureskill scan ./my-skill/

# Quick verdict lookup (~50ms, no LLM call) — reads cached SSP record
secureskill ssp-check publisher/skill

# JSON output for CI/CD
secureskill scan <url> --json

# Fail on caution or block verdicts
secureskill scan <url> --fail-on caution

# Check auth status
secureskill whoami

# Log in (browser OAuth or API key)
secureskill login

API Keys

API keys let you authenticate scans from CLI, scripts, and CI/CD without browser login. Available on Pro plans and above.

Using your key

# CLI — set as environment variable
export SECURESKILL_API_KEY=sk-your-key-here
secureskill scan https://github.com/user/skill

# CI/CD — use secrets
SECURESKILL_API_KEY=${{ secrets.SECURESKILL_API_KEY }} secureskill scan ./skills

# HTTP — pass as header
curl -X POST https://secureskill.ai/api/scan-url \
  -H "Content-Type: application/json" \
  -H "X-API-Key: sk-your-key-here" \
  -d '{"url": "https://github.com/user/skill"}'

Authentication

AnonymousNo auth required. IP rate-limited to 20 scans/hour. Results are not saved to any account.
API KeyPass via X-API-Key header or SECURESKILL_API_KEY env var. Scans auto-claim to your account. Pro plan required.
OAuthRun secureskill login to authenticate via browser. Stores a refresh token locally.

Rate Limits & Quota

PlanScans / monthAPI Keys
Free30No
Pro200Yes
Team1,000Yes
Shield3,000Yes
Registry25,000Yes

CI/CD Integration

Add SecureSkill to your pipeline to gate deployments on scan results.

GitHub Actions

- name: Scan skill for security threats
  run: npx @secureskill/cli scan ./skills --json --fail-on caution
  env:
    SECURESKILL_API_KEY: ${{ secrets.SECURESKILL_API_KEY }}

Exit codes

0 — SAFE (or below --fail-on threshold)

1 — CAUTION or BLOCK (depending on threshold)

2 — Error (network, auth, server)

API Reference

Scan a skill by URL

POST /api/scan-url
Content-Type: application/json
X-API-Key: sk-your-key-here

{"url": "https://github.com/user/my-skill"}

# Returns: SSE stream with scan progress + result

Get a scan report

GET /api/report/{scan_id}

# Returns: JSON with full scan result, findings,
# layer data, corroboration, and metadata

Upload a skill package

POST /api/scan-upload
Content-Type: multipart/form-data
X-API-Key: sk-your-key-here

file: skill.zip

# Returns: SSE stream with scan progress + result