🛡️ SkillFence

Security scanner for AI agent skills, MCP servers, and tool configs

v2.2.0 · 102 rules · Context-aware · Zero dependencies

npx skillfence scan .

102

Detection Rules

Dependencies

10+

Repos Audited

420K+

Stars Scanned

GitHub → npm →

🧠 Context-Aware Scanning NEW in v2.0

Not all findings are equal. SkillFence understands where a pattern appears and adjusts severity automatically.

Context	Example	Severity
Source code	`eval(userInput)`	CRITICAL
README / docs	`curl \| sh` in install instructions	INFO
Test files	`exec()` in test helper	MEDIUM max
Config files	API key pattern in `.env.example`	LOW confidence

Allowlist: Database.exec() (SQLite), RegExp.exec(), MD5 in S3 (AWS spec), SHA1 in webhook verification (API requirement)

What it detects

🔴 Critical

Remote Code Execution — curl pipe, eval(), exec(), spawn()
Hardcoded & Default Secrets — JWT fallbacks, API keys, passwords v2.1
MCP Tool Poisoning — hidden instructions in tool descriptions
CORS Origin Reflection — mirrors any origin with credentials v2.0

🟠 High

AI Agent Tool Exposure — usableAsTool without HITL gate v2.0
SSRF via AI Tools — cloud metadata endpoints, localhost access v2.0
JWT Weak Derivation — entropy reduction, weak algorithms v2.0
Trust Score Self-Manipulation — owner setting own verification flags v2.2
Unauthenticated Notification Endpoints v2.2
Account Enumeration via registration responses v2.1
Credential Leaks — tokens, private keys, connection strings

🟡 Medium

Static HKDF/KDF Salt — per-operation random salt recommended v2.2
Unverified account creation (verified: false) v2.1
Data Exfiltration Patterns — DNS tunneling, base64 POST
Supply Chain — typosquatting, malicious dependencies
Destructive Operations — rm -rf, chmod 777, disk writes

🏆 Real-World Results

Found real vulnerabilities in production projects:

n8n ⭐ 72K

AgentPass

context7 ⭐ 5K

screenshot-to-code ⭐ 60K

typescript-sdk ⭐ 2K

Flowise ⭐ 36K

Continue ⭐ 27K

Dify ⭐ 95K

Open WebUI ⭐ 80K

supabase-mcp ⭐ 3K

Highlights: CRITICAL JWT default secret, CORS origin reflection, ExecuteCommand RCE via prompt injection, trust score manipulation, unauthenticated webhook endpoints

📦 Install & Use

      # Scan a directory

      npx skillfence scan .

      # JSON output for CI/CD

      npx skillfence scan . --json

      # Disable context-awareness

      npx skillfence scan . --no-context

      # List all 102 rules

      npx skillfence rules

      # Git pre-commit hook

      npx skillfence install-hook

🔄 Version History

Version	Rules	What's New
v1.2.0	76	Initial release — OWASP MCP Top 10 coverage
v2.0.0	92	Context-aware scanning, CORS, SSRF, JWT, AI-Tool rules
v2.1.0	99	Hardcoded secrets, auth patterns, account enumeration
v2.2.0	102	Trust manipulation, unauthed notifications, static KDF salt