When you install an npm package, you can run npm audit. When you install a Python package, there's pip-audit. But when you install plugins that give your AI agent new skills and rules, you know, things that directly shape how it reasons and what it does, what do you run?
If your answer is "nothing", you're not alone, and that's why I built tessl-audit! You can check it out on GitHub and npm.
Why this matters more than you think
Agent plugins are instructions that get loaded into your AI agent's context. A plugin with a security issue doesn't just expose a server endpoint. It can influence the agent's behaviour in ways that are subtle and hard to detect, perhaps nudging it toward unsafe patterns, exposing data it shouldn't, or simply making it worse at its job.
Ask yourself these three questions about your agent skills, and if the answer to any of them is no, you’re seconds away from being able to say yes, with tessl-audit.
- Have all your skills been security scanned? If so, what was the result?
- Can you prove your skills are any good? Quality scores tell you how well-written and complete a plugin is. A low score means the agent is getting poor guidance.
- Do your skills and plugins actually help? Uplift scores measure whether a plugin improves agent task performance compared to a vanilla agent alone.
Join us at AI Native DevCon (use C0DE30 for 30% discount)
Why not try it right now?
It’s a free open source tool that uses Tessl under the covers. If you have a Tessl project with plugins installed, just run this in your project root:
npx tessl-audit
Wait, is that it? Absolutely, that's it. It reads your tessl.json, fetches live data from the registry for every plugin, and prints a report in about 30 seconds.
The script begins by looking through all your context file that it finds in the tessl.json manifest file. This should complete pretty quickly and you’ll soon see the table below, with a breakdown of your project context., and the types of warnings that have been picked up.
Next, the tool gives a posture summary of all of your context, giving more details of the riskiest skills in your project and what the issues are.
You can click through on any of these links to see the actual issues in the registry web UI.
And finally, the tool provides next step actions of the CLI commands to use (you can use an agent to call these also) to optimize, create and run evals on your skills.
The "so what" for each finding
Advisory, Risky, or Critical security status?
The report prints each flagged plugin with its warning codes and a direct link to the full security report on the registry. No need to chase them down, the security posture report lets you see the full summary in one listing, allowing you to deep dive here needed. Just open the link, read the finding, decide if it applies to your use case.
Quality below 80%?
The plugin you’re using is giving your agent incomplete or poorly-structured guidance. Run:
tessl skill review --optimize workspace/plugin-name
This runs a quality review and applies automatic improvements.
No uplift data?
The plugin has never been evaluated against real tasks — so you have no idea if it's helping or hurting. Fix that:
tessl scenario generate --count 5 workspace/plugin-name
tessl eval run workspace/plugin-name
Generate a set of test scenarios from the plugin, then run the eval. You'll get a concrete uplift score showing whether the plugin is worth keeping.
The bigger picture
Every team that uses AI agents is building a dependency graph of skills, rules, and knowledge, just like they build a dependency graph of packages. The tooling for auditing that graph is still being built, but the risks are real and growing.
tessl-audit is a small, practical step: one command, zero installation, actionable output. Run it today and find out what your agent is actually working with.
npx tessl-audit
tessl-audit requires the Tessl CLI (no worries, it’s already a dependency) and an authenticated Tessl session (just create a free account if you haven’t got one). You’ll need a tessl.json in order to run the tessl-audit tool, which is a context manifest tile.
Useful docs:
Top comments (0)