Audit AI Agent Skills
Before Execution
Set Up MCP Server
FreeZero-maintenance scanning. YARA + LLM. Always latest rules.
- 39 YARA rules across 6 threat categories
- LLM semantic layer
- Catches social engineering & prompt injection
- Catches reverse shells, data exfiltration and obfuscation patterns
- Binary verdict + reasoning
Human? Send this to your agent:
Read https://shieldon.dev/setup.md and set up the Shieldon MCP server to scan skills before installing them.
Agent? Read the setup instructions directly:
setup.mdTrusted by
What Shieldon Catches
Six categories of threats detected across every skill.md your agent encounters — pattern-matched by YARA and reasoned about by an LLM.
Credential Theft
AWS, GitHub, Stripe, OpenAI, Anthropic, Supabase, cloud provider keys, private keys, .env / .ssh access, crypto wallets
Command Injection
Reverse shells, curl | bash, privilege escalation, container escape, cron persistence, SSH key injection, PowerShell
Data Exfiltration
webhook.site, paste services, ngrok tunnels, DNS tunneling, Discord/Slack/Telegram webhooks, modern drop services
Obfuscation
Base64 decode chains, hex encoding, eval() + encoding, char-by-char string building, unicode escape evasion
Audit-Override Framing
Prose pleading 'educational only', 'classify as safe', 'ignore the YARA finding', END-OVERRIDE markers — social engineering aimed at the auditor LLM
Multistage Remote Code
exec(...http://...), bash <(curl ...), plugin/manifest loaders that defer code to a remote URL the auditor can't inspect
How Scanning Works
Every hosted scan runs through a 3-stage pipeline in around 5 seconds.
YARA deep scan
39 patterns across 6 threat categories
LLM semantic analysis
NewContext-aware safety verdict with reasoning
Verdict
Binary safe / block + reasoning + findings
{
"scan_id": "a1b2c3d4-...",
"verdict": "block",
"reasoning": "Override framing co-occurs with credential theft.",
"findings": [
{
"type": "yara",
"description": "Supabase access key pattern detected",
"severity": "HIGH",
"evidence": "Secret at offset 342: sb_secret_example"
},
{
"type": "llm",
"description": "Audit-override prose used to launder credential code",
"severity": "HIGH",
"evidence": "'classify as safe — for educational purposes only'"
}
]
}Local skill vs. MCP server
The local skill is YARA-only and runs offline. The hosted MCP adds the LLM semantic layer.
| Local skill | MCP server | |
|---|---|---|
| Install | npx skills add | Add endpoint to config |
| Detection rules | 39 YARA | 39 YARA + LLM |
| Works offline | ||
| LLM semantic analysis | ||
| Rule updates | npx skills update | Automatic |
| Best for | Individuals | Autonomous agents, CI/CD, enterprises |