Mondoo — Free AI Agent Skills Security Checker Launches

AI relevance: AI agent skills are plugins that act on behalf of users with access to credentials and sensitive systems — and 1,184 malicious ones were found on ClawHub alone, many available for download before detection.

• Mondoo launched AI Skills Check, a free, agent-agnostic security checker for AI agent skills across registries — no subscription required
• Supports ClawHub and Skills.sh registries, with additional integrations in development
• Works across Claude Code, Cursor, Windsurf, custom Anthropic SDK agents, and MCP servers
• Researchers previously identified 1,184 malicious skills on ClawHub, the largest public AI skill registry, many publicly downloadable before detection
• Scanning covers four security layers: Pattern Match (known signatures), ML Classifier (novel threats), Semantic Analysis (misleading claims), and Deep Inspection (permissions and behavior)
• Results include scored assessments tagged by severity, mapped to MITRE ATLAS and aligned with OWASP LLM Top 10
• Provides side-by-side comparison of what a skill claims to do versus what it actually does via code and behavioral analysis
• Independent layer of analysis not tied to any single marketplace, unlike registry-native scanning tools

Why it matters

AI agent skills represent a new software supply-chain layer that operates outside traditional security tooling. Unlike npm or PyPI packages, skills are installed directly into AI agents that can execute actions with user credentials — a malicious skill doesn't just run code, it acts on your behalf across connected systems. The discovery of 1,184 malicious skills on a single registry (ClawHub) confirms that this is not a theoretical risk but an active attack surface. Mondoo's free tool lowers the barrier for organizations to establish baseline visibility before installing third-party skills, which is critical given that most AI skills are currently installed without any security review.

What to do

• Scan before install: Use AI Skills Check or equivalent tools to review any third-party skill before adding it to your agent environment
• Audit existing skills: Inventory all AI agent skills already installed across your organization's agents and registries
• Apply the MITRE ATLAS / OWASP LLM Top 10 frameworks to evaluate skill behavior against established AI security taxonomies
• Implement skill approval workflows: Treat AI agent skills like software dependencies — require review and approval before deployment
• Monitor skill registries: Track new skill publications and updates in registries your organization uses

Sources

• Mondoo launches AI Skills Check (GlobeNewsWire)
• Mondoo AI Agent Security
• MITRE ATLAS framework
• OWASP LLM Top 10