AI Agent Skills Are Everywhere. But Which Ones Are Safe to Install?

george — Sat, 13 Jun 2026 09:04:04 +0000

AI agents are becoming less like single chatbots and more like extensible runtimes.

Instead of using a bare model, people are adding skills: coding helpers, research workflows, browser automation, MCP integrations, content generation tools, project-specific instructions, and more.

That is powerful.

But it also introduces a new trust problem.

When you install a third-party skill, you may be giving your agent new instructions, new tool access patterns, new dependencies, and sometimes new scripts. A skill can look helpful in its README while still containing risky behavior.

For example:

reading .env, SSH keys, browser cookies, or API tokens
running curl ... | sh
uploading data to a webhook
using destructive shell commands
telling the agent to ignore higher-priority instructions
including huge prompt files that waste tokens
depending on unpinned or unnecessary packages

As skill ecosystems grow, we need better pre-install checks.

That is why I built SkillPreflight.

What is SkillPreflight?

SkillPreflight is an open-source CLI and GitHub Action that scans AI agent skills before installation.

It performs static analysis and generates a 100-point scorecard covering:

Category	What it checks
Security	Dangerous commands, secret access, exfiltration, prompt injection, remote script execution
Permission restraint	Overbroad activation, unnecessary shell/network/file access
Token efficiency	Oversized skill files, repeated content, poor progressive disclosure
Lightweight footprint	File count, total size, dependencies, large assets
Maintainability	README, license, metadata, examples, documentation hygiene
Reliability	Tests, fixtures, deterministic workflow, error handling
Compatibility	Hardcoded paths, OS-specific assumptions, fragile shell usage

Usage

You can run it without installing anything globally:

npx skill-preflight@latest scan ./my-skill

You can also scan a GitHub repository:

npx skill-preflight@latest scan https://github.com/owner/repo.git

Generate JSON:

npx skill-preflight@latest scan ./my-skill --format json --out report.json

Generate SARIF for GitHub Code Scanning:

npx skill-preflight@latest scan ./my-skill --format sarif --out skill-preflight.sarif

GitHub Action

SkillPreflight is also available as a GitHub Action:

name: SkillPreflight

on: [pull_request, push]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: agent-contracts/skill-preflight@v1
        with:
          target: "."
          fail-below: "70"

Safety model

SkillPreflight does not execute scripts from the skill being scanned.

It only reads files and performs static analysis. The goal is not to guarantee that a skill is perfectly safe, but to surface obvious red flags before users install it.

Why this matters

Browsers have extension permission prompts.

npm has package audits.

Containers have image scanners.

AI agent skills should have pre-install checks too.

As the AI agent ecosystem grows, users need a simple way to ask:

What does this skill actually do, and is it safe enough to install?

SkillPreflight is an early attempt at that.

GitHub:
https://github.com/agent-contracts/skill-preflight

npm:
https://www.npmjs.com/package/skill-preflight

GitHub Marketplace:
https://github.com/marketplace/actions/skillpreflight