How we compare
The agent skills ecosystem is new. So is the security tooling. Here's how SafeAgentSkills fits alongside other approaches.
| ๐ก๏ธ SafeAgentSkills | ๐ Snyk Agent Scan | ๐ Socket.dev | ๐ Manual Review | |
|---|---|---|---|---|
| What it is | Browsable safety report for every skill on ClawHub | CLI scanner for local MCP servers & skills | Supply chain scanner integrated into skills.sh | Reading SKILL.md and scripts yourself |
| Approach | Pre-computed catalog | On-demand CLI | Continuous pipeline | Ad-hoc |
| Browsable web catalog | โ | โ | ~ | โ |
| Skills pre-analyzed | 17,346+ ClawHub registry | 0 Scan-on-demand only | 60K+ skills.sh registry | โ Whatever you read |
| Ecosystem | ClawHub (OpenClaw) | Claude, Cursor, Gemini, Windsurf | skills.sh (Vercel) | Any |
| MCP server scanning | โ | โ | โ | ~ |
| Permission & capability mapping | โ | โ | โ | ~ |
| Risk scoring | H M L Hazard ยท Dependency ยท Access ยท Complexity | issue warning 15+ issue codes | block warn Severity levels | Your judgment |
| Hazard labels (EXEC, NET, PIโฆ) | โ | โ | โ | โ |
| Version pinning & content hash | โ | โ | โ | โ |
| Open data format | โ SSDS JSON | โ SARIF-like | โ | โ |
| Prompt injection detection | โ | โ | โ | ~ |
| Malware / obfuscation detection | ~ | โ | โ | โ |
| Isolated analysis environment | โ Docker, no network | โ Runs on host | โ Server-side | โ |
| Pricing | Free to browse API from $0.50/scan | Free (OSS) Part of Snyk platform | Free tier Enterprise plans | Free Costs your time |
Why SafeAgentSkills exists
Snyk Agent Scan and Socket are excellent tools โ we recommend using them. They focus on detecting active threats: prompt injections, malware payloads, supply chain attacks.
SafeAgentSkills asks a different question: what can this skill do?
Like a Safety Data Sheet for chemicals, an SSDS documents a skill's capabilities, permissions, hazards, and risk level โ before you install it.
Not every skill with exec() is malicious. But you should know it's there.
We map the full permission surface so you can make informed decisions, not just pass/fail judgments.
These tools are complementary
Before install
Browse SafeAgentSkills to understand what a skill does, what permissions it needs, and its risk profile.
During install
Socket scans skills.sh installs in real-time, blocking known malicious packages before they reach your machine.
After install
Run Snyk Agent Scan locally to audit your installed MCP servers and skills for active threats.
Built on an open standard
Every report on this site is a machine-readable Skill Safety Data Sheet (SSDS) โ an open JSON format anyone can generate, consume, or extend. We believe safety metadata should be a public good, not locked inside any single vendor's platform.