Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Safeskill

БесплатноНе проверен

Runs a one-click security audit on your MCP setup, scanning packages for vulnerabilities and assigning a score from 0-100 with actionable recommendations.

GitHubEmbed

Описание

Runs a one-click security audit on your MCP setup, scanning packages for vulnerabilities and assigning a score from 0-100 with actionable recommendations.

README

One-click security audit for your MCP setup.

One score. Plain English. No CLI knowledge required.

We Scanned the MCP Ecosystem

We downloaded and scanned 3,093 MCP packages from npm and the official MCP registry. The results:

  • 858 packages (28%) had at least one security finding
  • 397 packages (13%) rated RED (score below 50)
  • 176 packages scored a flat 0/100

Cisco, 1Password, Snyk, and Bitdefender have all flagged MCP's lack of sandboxing and permissions as a serious risk. We built SafeSkill to let you check for yourself.

Read the full analysis: I Scanned 3,093 MCP Servers. Here's What I Found.

Try It Now

No install required. Paste any npm package name into the web scanner:

getsafeskill.vercel.app

Quick Start

As an MCP Skill (recommended)

Add SafeSkill to your MCP configuration and just ask your agent:

"Check if my MCP setup is safe"

{
  "mcpServers": {
    "safeskill": {
      "command": "npx",
      "args": ["-y", "safeskill"]
    }
  }
}

As a CLI

# Scan your entire setup
npx safeskill

# Scan a specific skill
npx safeskill scan ./my-mcp-server

# Check config only
npx safeskill config

# JSON output
npx safeskill --format=json

What It Detects

Critical

  • Dynamic code execution (eval(), new Function())
  • Shell command injection
  • Data exfiltration to Telegram/Discord/paste sites
  • Access to SSH keys, cloud credentials, crypto wallets, browser data
  • Prompt injection in skill descriptions
  • Environment variable theft over network
  • Crypto wallet address replacement

High

  • Child process spawning
  • Outbound HTTP to raw IP addresses
  • Bulk environment variable harvesting
  • Base64/hex obfuscation at runtime
  • JavaScript code obfuscation
  • Hardcoded API keys and secrets
  • Access to .env and dotfiles
  • Exposed ports (0.0.0.0 binding)
  • Disabled authentication flags

Medium

  • Data encoding before transmission
  • Hidden Unicode characters
  • Hardcoded secrets in config
  • Supply chain risk (npx/uvx execution)

Scoring

Each skill gets a score from 0-100:

Score Rating Meaning
80-100 GREEN No significant issues found
50-79 YELLOW Some concerns, review the findings
0-49 RED Serious issues, remove or replace this skill

Scores are based on the number and severity of findings, with diminishing returns for repeated instances of the same issue.

Overall Score: 62/100 YELLOW [############--------]

Found 7 security issues across 4 skills.

Skills you should remove:
- sketchy-data-tool (Score: 15/100) — tries to read your SSH keys and send them to a server
- crypto-helper (Score: 35/100) — contains a hardcoded crypto wallet address

Skills to review:
- file-manager (Score: 65/100) — can run system commands on your computer

Clean skills: weather, calculator, notes

Output Formats

  • Conversational: Chat-friendly summary for use in MCP agents
  • Detailed: Full markdown report with all findings
  • JSON: Machine-readable output for automation

Building from Source

git clone https://github.com/gabchess/safeskill.git
cd safeskill
npm install
npm run build

License

MIT

from github.com/gabchess/safeskill

Установить Safeskill в Claude Desktop, Claude Code, Cursor

Рекомендуется · одна команда, все IDE
unyly install safeskill

Ставит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.

Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh

Или настроить вручную

Выполни в терминале:

claude mcp add safeskill -- npx -y safeskill

FAQ

Safeskill MCP бесплатный?

Да, Safeskill MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Safeskill?

Нет, Safeskill работает без API-ключей и переменных окружения.

Safeskill — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Safeskill в Claude Desktop, Claude Code или Cursor?

Открой Safeskill на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Safeskill with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development