Security Scanner

Every skill installed through Agentver is automatically scanned for security risks before it touches your system. The scanner runs 28 pattern rules across 7 categories, with zero external dependencies.

How it works

  1. 1. You run agentver install or agentver audit
  2. 2. All files are scanned against 28 pattern rules
  3. 3. Issues are reported with severity levels and specific line numbers
  4. 4. Critical/high severity issues block installation by default

Scan categories

Dangerous commands

Critical

Detects rm -rf, sudo, chmod 777, curl|bash, eval(), exec(), system() and similar destructive or arbitrary execution patterns.

Data exfiltration

Critical

Detects POST requests, fetch with body payloads, webhook.site, ngrok, requestbin, and other data exfiltration patterns.

Obfuscated code

Medium

Detects long base64 strings, hex escapes, String.fromCharCode, Unicode escape sequences, and other code obfuscation techniques.

Suspicious URLs

Medium

Detects pastebin links, Discord webhook URLs, URL shorteners (bit.ly, t.ly), and other suspicious remote resources.

Credential exposure

High

Detects process.env access, dynamic environment variable reading, and patterns that suggest credential harvesting.

Prompt injection

High

Detects patterns designed to override agent instructions, escape sandboxes, or manipulate agent behaviour.

Remote code execution

Critical

Detects wget, ftp, SSH tunnelling, and other patterns that enable remote code execution.

Verdicts

PASSNo issues found. Skill is safe to install.
WARNMedium severity issues found. Skill is installed with warnings.
BLOCKCritical or high severity issues found. Installation is blocked.

Manual auditing

You can run the security scanner manually on any directory:

$ agentver audit --path ./my-skills/
 scanning 12 files across 3 skills...
 ✓ deploy-checker PASS
 ✓ code-reviewer PASS
 ⚠ untrusted-skill WARN (2 issues)