🔒 Security Dashboard

Transparent Security Analysis

We scan every skill with automated heuristics. We're honest about limitations: these are pattern-matching checks, not deep code review. Use this as a starting point, not a guarantee.

💡

What Our Security Scanning Actually Does

  • ✅ We DO: Check for dangerous install patterns (curl | bash), malware-associated keywords, and verify GitHub presence
  • ❌ We DON'T: Review actual source code, test at runtime, or guarantee safety
  • 🎯 Our goal: Give you useful signals to make informed decisions, not false confidence
📊
-
Skills Scanned
-
No Obvious Red Flags
⚠️
-
Flagged Heuristics
-
Unverified
🎯
-
Avg Security Score

How the Security Score Works (0-100)

Four components, each worth up to 25 points. Higher is better.

Command Risk

0-25 pts

Checks install commands for dangerous patterns like curl | bash, eval, or piped shell execution.

🔴 curl ... | bash -25 pts
🟢 npm install package +25 pts
🔍

Keyword Risk

0-25 pts

Scans name/description for malware-associated terms: stealer, keylogger, backdoor, etc.

🔴 "credential stealer" -25 pts
🟢 No suspicious keywords +25 pts
🏢

Provider Trust

0-25 pts

Weight based on how curated the source is. Curated marketplaces score higher than raw directories.

🟢 Smithery/Glama +20-22 pts
🟡 ClawHub/APIs.guru +12-15 pts
🐙

GitHub Presence

0-25 pts

Verifies repository exists, checks stars, activity, and archival status.

🟢 Active repo + stars +20-25 pts
🔴 No GitHub link +0 pts

Security Status Labels

🏆 Verified by AiOrbit

Actual runtime testing by our team. Reserved for future use - we're building real moat here.

✅ No obvious red flags

Passed automated scans: no dangerous commands, no malware keywords, has GitHub. Not a guarantee of safety.

⚠️ Flagged heuristics

One or more automated checks triggered. Review the specific reasons before installing.

❓ Unverified

Insufficient information to assess. No GitHub repo, no install instructions, unknown provider.

Security by Provider

How different sources stack up in our automated scans.

Loading provider data...

Top Flagged Patterns

Most common reasons skills get flagged. These aren't necessarily malicious, but warrant review.

Loading pattern data...

Skills Requiring Attention

Skills with flagged patterns or insufficient verification. Review carefully.

Loading skills...

🔎 How to Verify a Skill Yourself

Don't trust our scans blindly. Here's a checklist for your own due diligence.

1

Check the GitHub Repository

  • Is the repo public and accessible?
  • When was the last commit? (Active maintenance is good)
  • How many stars/forks? (Community trust signal)
  • Are issues being responded to?
2

Read the Install Command

  • Does it pipe to bash/sh? Big red flag
  • Does it download and execute from a URL you can't inspect?
  • Can you install via npm/pip instead of curl?
3

Review the Source Code

  • Look for network calls - where is data being sent?
  • Check for obfuscated code (base64, eval, etc.)
  • Search for credential/token handling
4

Test in Isolation

  • Run in a sandbox/VM first
  • Use minimal permissions
  • Monitor network traffic during first run
🚨

Report a Security Issue

Found a malicious skill or security vulnerability? Help us keep the ecosystem safe.

Report Security Issue