
概览
主要功能
- 提示注入模式检测
- 数据外泄规则集
- 恶意代码模式扫描
- SARIF 报告输出
- CI/CD 管道集成
- 可扩展的规则集
价格
- 模型
- Freemium
- 评分
- 4.7 / 5 (6)
使用场景
在部署前验_third-party 代理技能
扫描外部技能和插件,搜索提示注入模式和可疑代码,降低被破坏的集成风险。
在 CI/CD 中实施安全门控
将 Skill Scanner集成到建造管道中,使用 SARIF 输出自动阻止那些引入风险清单或指令的拉取请求
在 GitHub 代码扫描中披露发现结果
将 SARIF 报告传输到 GitHub 代码扫描或安全仪表板,使开发者和安全团队能够在其它编码问题一起对 AI 代理技能的漏洞进行分级
使内部技能坚固自如
将可用的规则集扩展以匹配组织特定的风险特性,确保内部建造的代理技能满足数据外泄和恶意模式的基本检查
优点 & 缺点
优点
- 免费并开源
- 针对代理特定的威胁,例如提示注入
- SARIF 输出集成到现有的安全工具
- 适合 CI/CD 安全门控
- 可定制的检测规则
缺点
- 需要技术配置和 CLI 熟悉
- 静态分析无法检测所有的运行时攻击
- 覆盖度依赖于社区维护的规则集
评测
6 个评分的平均值。
登录以留下评测。
Does the job
Pretty happy overall. Extensible rule set just works and sARIF output integrates with existing security tools. Static analysis cannot catch all runtime attacks can be annoying, but no dealbreakers — I'd recommend it to a friend without hesitating.
Use it every day
Honestly didn't expect to like it this much. SARIF report output is exactly what I needed, and free and open source. I do wish static analysis cannot catch all runtime attacks, but I reach for it almost every day now and it just clicks.
Use it every day
Honestly didn't expect to like it this much. SARIF report output is exactly what I needed, and useful for CI/CD security gates. but I reach for it almost every day now and it just clicks.
Years in this space
I've evaluated a lot of these over the years. What stands out here is sARIF report output — handled better than most — and free and open source. Worth the time if this is your use case.
Use it every day
Honestly didn't expect to like it this much. SARIF report output is exactly what I needed, and targets agent-specific threats like prompt injection. I do wish coverage depends on community-maintained rules, but I reach for it almost every day now and it just clicks.
Solid for our team
We rolled this out across the team last quarter and useful for CI/CD security gates. Data exfiltration heuristics fits neatly into how we already work, and sARIF report output removed a step we used to do by hand. Requires technical setup and CLI familiarity, which is the main caveat, but it has held up under daily use.
问答
How much does Skill Scanner cost and what's the licensing model?
Skill Scanner is free and open source, so there are no licensing fees. You can self-host and run it as part of your own workflows, with the trade-off that you handle setup, maintenance, and any rule customization yourself.
What threats can it detect, and what are its limitations?
It performs static analysis on skill manifests, instructions, and bundled code to flag prompt injection patterns, data exfiltration heuristics, and suspicious code. As a static tool, it can't catch all runtime attacks, and detection quality depends on the community-maintained or custom rule set.
How does Skill Scanner integrate with CI/CD and existing security tooling?
It outputs findings in SARIF, the standard format consumed by tools like GitHub code scanning, security dashboards, and code review workflows. This makes it straightforward to wire into CI/CD pipelines as a security gate alongside other static analysis tools.
提问
Software Testing (QA) Agents 的替代品
CarbonCopies AI
Software Testing (QA) Agents
AI 双胞胎模拟用户交互,进行自动化 UX/功能测试并检测应用/网站中的错误。
Diffblue Cover
Software Testing (QA) Agents
一款自主 AI 代理,能够在大规模下生成并维护 Java 单元测试,并保证准确性。
PentAGI
Software Testing (QA) Agents
开源无人值守的渗透测试代理,通过 Docker sandbox 的内存和 web 智能来运行 20+ 个安全工具
Flowtest AI
Software Testing (QA) Agents
通过模拟真实用户交互来监控网站,检测问题并确保正常运行的 AI 代理。
Keploy
Software Testing (QA) Agents
开源智能测试代理,自动生成和维护单元、集成和API测试








