First formal security scanner for AI agent skills & plugins with static analysis and SBOM generation.
skillfortify is easy to set up with strong trust signals. Check agent compatibility and use-case fit before adding it to your workflow.
gh repo view qualixar/skillfortify --webOpen the official repository or website.
Check the README for package manager, auth, and platform requirements.
Try it in a small test task inside your agent workflow.
SkillFortify scans AI agent skills and plugins for security issues. It checks code without running it, verifies supply chain safety, and generates a software bill of materials. It supports 22 frameworks like MCP, LangChain, and CrewAI.
SkillFortify is the first formal security scanner designed specifically for AI agent skills and plugins. It performs sound static analysis to detect vulnerabilities, verifies supply chain integrity, and generates Software Bill of Materials (SBOM) for AI agent ecosystems. Unlike heuristic scanners that may miss risks, SkillFortify provides mathematically grounded security guarantees: if it reports no violations, the capability bounds in the formal model are assured. The tool supports 22 frameworks including Claude Code Skills, MCP Servers, LangChain Tools, CrewAI Tools, AutoGen, OpenAI Agents SDK, Google ADK, Dify, Composio, Semantic Kernel, LlamaIndex, n8n, Flowise, Mastra, PydanticAI, Agno, CAMEL-AI, MetaGPT, Haystack, Anthropic Agent SDK, and Custom Skills. It can auto-discover all AI tools on a system and generate HTML security reports. SkillFortify also includes a benchmark (SkillFortifyBench) with 540 skills across 3 formats for evaluating security scanners.
Strong trust signals; still review the README and permissions before production use.
Last commit was about 13 days ago.
24 GitHub stars indicate community interest.
5 open issues signal maintenance load.
NOASSERTION license detected.
Scan AI agent skills for security vulnerabilities before deployment
Verify supply chain integrity of third-party agent plugins
Generate SBOM for compliance and auditing of AI agent ecosystems
Integrate into CI/CD pipelines to automatically check agent skill security
Evaluate and compare security scanners using the SkillFortifyBench benchmark
The tool itself is a security scanner and does not introduce risks, but users should ensure they have permission to scan the target systems.
False negatives are possible; formal guarantees apply only to the modeled capabilities.
24
Stars
1
Forks
5
Issues
NOASSERTION
License
A terminal dashboard to monitor AI coding agents like Claude Code and Codex CLI in real-time.
A bridge between Streamable HTTP and stdio MCP transports, enabling flexible MCP server connectivity.
A full-stack AI Red Teaming platform for securing AI ecosystems with comprehensive scanning and evaluation.
2 security/trust notes recorded.
Setup difficulty is 2/5.