Security

Every skill is scanned
before it reaches you

AI agent skills execute code, access files, and interact with APIs. That's powerful - and it demands rigorous vetting.

Real-time analysis

See the scan in action

When a skill is submitted, our pipeline instantly begins analyzing source code, dependencies, permissions, and runtime behavior. Results appear on every listing.

9 Security layers
<2min Average scan time
100% Skills scanned
security-scan
> Scanning cold-email-pro@1.2.0...
File type validation PASS
Pattern scanning (dangerous code) PASS
ClamAV signature scan PASS
Dependency audit (Snyk) PASS
Supply chain analysis (GuardDog) PASS
Socket.dev dependency risk PASS
VirusTotal malware scan PASS
AI security review PASS
Agent-specific checks PASS
All checks passed - 0 findings, 0 warnings
Status: VERIFIED | Ready to list
Trust framework

Three-tier security status

Every skill receives a security status after automated review. Visible on every listing - so you always know what you're installing.

Verified

Pass

Zero findings. No code injection, no data exfiltration, no unauthorized access. Safe to install and use immediately.

Warning

Warn

Minor findings detected - broad file access or uncommon API usage. All findings disclosed on the listing for full transparency.

Blocked

Block

Critical security issues found. Code injection, credential theft, or data exfiltration. Rejected - never reaches the marketplace.

Automated analysis

What we scan for

Nine security layers. Every skill. No exceptions.

01

File Type Validation

Only approved file types are accepted. Executables, binaries, and suspicious archives are rejected immediately.

02

Pattern Scanning

Dangerous code patterns detected: shell injection, eval() usage, dynamic execution, credential access, and data exfiltration.

03

ClamAV Signature Scan

Industry-standard antivirus scanning against known malware signatures, trojans, and embedded threats.

04

Dependency Audit (Snyk)

All third-party packages checked against known vulnerability databases for outdated or compromised dependencies.

05

Supply Chain (GuardDog)

Detects typosquatting, dependency confusion, and compromised upstream packages in the supply chain.

06

Socket.dev Dependency Risk

Detects risky dependency behavior including install scripts, network access, shell execution, and obfuscated code in packages.

07

VirusTotal Analysis

Cross-referenced against 70+ antivirus engines via VirusTotal for comprehensive malware detection.

08

AI Security Review

Semantic analysis powered by AI to catch prompt injection, auth bypass, obfuscated logic, and data exposure risks.

09

Agent-Specific Checks

Agents undergo additional review for permission scope, tool chaining behavior, and autonomous execution boundaries.

Review pipeline

How the review process works

Every submission. Same pipeline. No exceptions, no fast-track.

01

Submission

Creator submits via CLI. Package, manifest, and source code are uploaded.

pending
02

Automated Scan

Static analysis, dependency audit, permission checks, behavioral detection. Minutes.

scanning
03

Manual Review

Warnings escalate to human review. Our team inspects flagged patterns and decides.

if flagged
04

Listed or Rejected

Clean → Verified. Minor → Warning. Dangerous → Blocked.

listed rejected
Transparency

Open findings. Clear reporting.

Security works best in the open. Every decision we make is visible to you.

Findings on every listing

Any security findings - even minor ones - are shown directly on the skill page. You see exactly what was flagged and why before you purchase.

Scanned before listing

Every version of every skill passes through the full nine-layer security pipeline before it appears on the marketplace. No exceptions.

Report a concern

Found something suspicious? Email contact us. We investigate every report and respond within 24 hours.

Creator trust

Creator accountability built in

Every skill is tied to an authenticated creator account with a public profile and reputation history.

01

Authenticated Account

Creators sign up through Clerk with email confirmation and complete a public profile. No anonymous listings.

required
02

Authenticated Account

Every creator authenticates via Clerk using GitHub OAuth or email verification. Public profiles are linked to authenticated identities.

authenticated
03

Automated Security Scan

Every submission passes through our 9-layer automated security pipeline - static analysis, pattern detection, ClamAV, VirusTotal, and AI review.

automated
04

Ongoing Reputation

Ratings, reviews, and scan history build a public reputation. Violations lead to suspension and delisting.

trusted suspended
100% Creators authenticated
Automated Every submission scanned
Public Creator profiles
Purchase protection

Your purchase is protected

Secure payments, unique license codes, and account-tied licensing.

Secure Payments

All transactions processed through Stripe with PCI-DSS Level 1 compliance. Your payment details never touch our servers - they go directly to Stripe's secure infrastructure.

Unique License Codes

Every purchase generates a unique license code in XXXX-XXXX-XXXX format. Codes are tied to your account and can be regenerated if compromised. One license, all compatible platforms.

Account-Tied Licensing

Each license is tied to your account and works across all compatible platforms. If a code is compromised, contact us and we'll regenerate a new one instantly.

A note on security

No automated security system is perfect. While our scanning pipeline catches the vast majority of threats, we strongly recommend reviewing the source code of any skill before installing it in production environments. Our security statuses are a starting point - not a guarantee.

When in doubt, inspect the code yourself or contact us for a detailed report.

FAQ

Frequently Asked Questions

How does the security scanning work?

Every submitted skill goes through automated static analysis, dependency auditing, permission scope verification, data exfiltration detection, credential access checks, and behavioral analysis. The entire pipeline runs in under 2 minutes.

What happens if a skill fails the scan?

Skills with critical findings (code injection, credential theft, data exfiltration) are blocked and never reach the marketplace. Skills with minor findings receive a warning status with full disclosure on the listing page.

Can I see the security report for a skill?

Yes. Every skill listing shows its security status (Verified, Warning, or Blocked) along with any findings. You always know what you're installing before you buy.

What if I find a vulnerability after installing?

Report it through our contact page using the "Security Report" option. We investigate every report within 24 hours and work with creators to issue patches.

Are skills re-scanned after initial review?

Skills are scanned at publish time -- every version goes through the full pipeline before listing. If you discover a vulnerability after install, report it through our contact page and we investigate within 24 hours.

Is the scanning automated or manual?

The primary scan is fully automated across nine security layers. If the automated scan flags anything, it escalates to our team for manual review before a final decision is made.

How are creators vetted on AgentPowers?

Creators sign up with authenticated accounts via Clerk. Public profiles show their ratings and review history. Every submitted skill goes through the full automated security scan before listing.

What happens if a license code is compromised?

Contact us and we'll regenerate a new license code instantly. The old code is revoked and your access is uninterrupted. Codes are tied to your account, not shared publicly. Reach out via our contact page.

Install with confidence

Every skill on AgentPowers has been scanned and verified. Browse the marketplace or start creating your own.

Browse Verified Skills Become a Creator