Agents inherit risk from the software they load and call. Signal scans full repositories, not just instruction files, so teams can review MCP code, scripts, workflows, packages and install logic before trust.
A reproducible map of the software agents load and call.
whole-repo grades, reproducible by pinned engine version
AI agents rely on external components to act: MCP servers, tools, packages, CLIs, workflows, skills and repository templates. Each can expand what the agent can access, execute or expose.
MCP servers and tools define what an agent can call, and on whose behalf.
CLIs, scripts and workflow actions turn agent intent into system changes.
Packages and templates introduce behavior nobody reviewed.
Teams need to review components before they enter agent work.
We clone each repository and scan every file, so Signal already surfaces risk across the surfaces a repo ships, not just its skill instructions. Skills are where the public directory starts; the detection spans the whole repo.
Detection coverage is already ecosystem-wide because we scan the whole repository. What is "next" is browsing each surface as its own first-class list, not the detection itself.
Signal uses deterministic rules to surface patterns worth reviewing. A detection is not a claim that a component is malicious; it is a signal it deserves security attention before trust.
Signal scans every indexed repository deterministically, with GitHub code search as the only crawl source. No registry scrapers, no sampling.
GitHub code search finds AI-agent repos. The seed today is filename:SKILL.md, with more seeds next.
Pull the whole repository, with content-hash dedup so unchanged repos are skipped.
Oktsec's deterministic engine runs offline across all 12 analyzers: skills, MCP code, CLIs, packages, Actions and supply-chain. A pinned version yields identical results.
Audit low-confidence matches, grade A-F per repo, and export the directory, datasets, badges and alerts.
Skill-only scanners read the SKILL.md. The real risk lives in the rest of the repository, the install scripts, dependencies, workflows and MCP code. Signal scans all of it, deterministically and reproducibly, so it surfaces what they never open.
| Surface scanned | Oktsec Signal whole repo · reproducible | Snyk agent-scan skill file | Socket / Gen packages / skill text |
|---|---|---|---|
| Skill instructions SKILL.md | |||
| MCP server code tool definitions & handlers | |||
| CLIs & scripts command surfaces, shell | |||
| Packages & lockfiles declared & transitive deps | |||
| GitHub Actions .github/workflows | |||
| Supply-chain install logic build.rs, setup.py, lifecycle | partial |
of audited repos carried HIGH/CRITICAL risk in code the others never open: scripts, workflows and MCP server code, including cases all three providers (Snyk, Socket, Gen) missed entirely. On 80 skills audited by skills.sh.
| Repository | Risk Signal found (outside the SKILL.md) | Snyk · Socket · Gen |
|---|---|---|
| jimliu/baoyu-skills | command execution in scripts/check-paste-permissions.ts | all clean - missed |
| starchild-ai-agent/official-skills | MCP server code in twelvedata/__init__.py | all clean - missed |
| schpet/linear-cli | supply-chain in .github/workflows/release.yml | all clean - missed |
| onmax/nuxt-skills | command execution in scripts/generate-components.ts | all clean - missed |
| vercel-labs/skills | OIDC risk in .github/workflows/publish.yml | Snyk flagged a soft skill issue, missed the workflow |
Verdicts from skills.sh's own published Snyk, Socket and Gen results. On the lone SKILL.md the tools mostly agree; the difference shows up across the rest of the repository, which only Signal scans. Every row is reproducible from a pinned engine version. Methodology, engine version and source list are published with the research.
Skill-only scanners audit the SKILL.md. Oktsec Signal scans the whole repository the skill ships in, so it surfaces the supply-chain, workflow and code risk they never look at.
Other scanners give you a different answer each run. Oktsec's engine doesn't: pin the version and the same component scores the same grade, forever. That is what makes it usable in CI and defensible in compliance.
Every Signal report shows the exact engine version that produced it, so any grade can be reproduced from scratch.
Signal starts as a public security index and a private monitoring layer for teams adopting AI agents.
Browse AI-agent repos by latest, risk, stars or forks.
Grade, detections and per-file findings for any repository.
A local, in-tab scan of a component, with nothing sent to a server.
Embeddable grade badges, bulk CSV datasets and a public RSS alert feed.
The public index is step one. Signal can become private monitoring for the components a company depends on.
Keyed, rate-tiered endpoints: per-component report, search and rollups.
Track repos, owners and orgs; get a push when a new critical lands or a grade drops.
Fail a PR on a configurable grade or severity threshold before a component ships.
Scan an org's private repos with a scoped token; results stay private to the org.
Every grade over time, not just the last snapshot, to detect rug-pulls and drift.
Authors as first-class entities, with correlation to surface coordinated networks.
Browse the public index, or request private monitoring for the components your company depends on.