Skill Audit Mcp

Name: Skill Audit Mcp
Author: eltociear

eltociear/skill-audit-mcp

Statically scan MCP servers, agent skills, and plugins for malicious patterns before you add them to Claude Code or Cursor.

Overview

Skill Audit MCP is a MCP server for the Ship phase that statically scans MCP servers, agent skills, and plugins against 68 attack patterns before install.

What is this MCP server?

Static security scanner aimed at MCP servers, agent skills, and plugins
68 documented attack patterns for extension supply-chain review
Helps vet community skills before enabling them in production agents
Stdio MCP via OCI ghcr.io/eltociear/skill-audit-mcp:mcp-1.0.2
Complements manual README review when installing from directories or git
68 attack patterns cited in server description
Server version 1.0.2
Targets MCP servers, agent skills, and plugins

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Community signal: 3 GitHub stars.

What problem does it solve?

Installing random agent skills and MCP servers is like adding unaudited binaries—solo builders lack time to manually hunt prompt injection, exfiltration, and tool-abuse patterns.

Who is it for?

Builders curating a personal skill stack from GitHub, marketplaces, or Skillselion who want agent-driven supply-chain review.

Skip if: Teams that only use first-party, internally authored skills with no third-party MCP, or groups needing live penetration tests and SOC monitoring.

What do I get? / Deliverables

You get pattern-based security findings on extensions so you can reject, quarantine, or harden skills before they touch production workflows.

Static findings mapped to 68 attack-pattern categories
Reviewable report on third-party MCP and skill packages
Clearer install/no-install decisions for agent extensions

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Skillselion users discover tools in Build but trust decisions belong in Ship security; the same audit applies when Operate teams refresh third-party extensions. Security subphase captures supply-chain review of agent extensions—not authoring the skill content itself.

How it compares

Static extension scanner MCP, not a runtime agent firewall or Skillselion catalog entry itself.

Common Questions / FAQ

Who is Skill Audit MCP for?

Solo developers and small teams adopting third-party MCP servers and skills who need repeatable static checks before enabling new tools.

When should I use Skill Audit MCP?

Use it when adding a skill from a repo, forking a marketplace package, or reviewing updates to plugins already in your agent config.

How do I add Skill Audit MCP to my agent?

Configure stdio MCP with image ghcr.io/eltociear/skill-audit-mcp:mcp-1.0.2 in your client settings, then invoke scan tools against skill or server directories.

Skill Audit Mcp

eltociear/skill-audit-mcp

Statically scan MCP servers, agent skills, and plugins for malicious patterns before you add them to Claude Code or Cursor.

Overview

Skill Audit MCP is a MCP server for the Ship phase that statically scans MCP servers, agent skills, and plugins against 68 attack patterns before install.

What is this MCP server?

Static security scanner aimed at MCP servers, agent skills, and plugins
68 documented attack patterns for extension supply-chain review
Helps vet community skills before enabling them in production agents
Stdio MCP via OCI ghcr.io/eltociear/skill-audit-mcp:mcp-1.0.2
Complements manual README review when installing from directories or git
68 attack patterns cited in server description
Server version 1.0.2
Targets MCP servers, agent skills, and plugins

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Community signal: 3 GitHub stars.

What problem does it solve?

Installing random agent skills and MCP servers is like adding unaudited binaries—solo builders lack time to manually hunt prompt injection, exfiltration, and tool-abuse patterns.

Who is it for?

Builders curating a personal skill stack from GitHub, marketplaces, or Skillselion who want agent-driven supply-chain review.

Skip if: Teams that only use first-party, internally authored skills with no third-party MCP, or groups needing live penetration tests and SOC monitoring.

What do I get? / Deliverables

You get pattern-based security findings on extensions so you can reject, quarantine, or harden skills before they touch production workflows.

Static findings mapped to 68 attack-pattern categories
Reviewable report on third-party MCP and skill packages
Clearer install/no-install decisions for agent extensions

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

Static extension scanner MCP, not a runtime agent firewall or Skillselion catalog entry itself.

Common Questions / FAQ

Who is Skill Audit MCP for?

Solo developers and small teams adopting third-party MCP servers and skills who need repeatable static checks before enabling new tools.

When should I use Skill Audit MCP?

Use it when adding a skill from a repo, forking a marketplace package, or reviewing updates to plugins already in your agent config.

How do I add Skill Audit MCP to my agent?

Configure stdio MCP with image ghcr.io/eltociear/skill-audit-mcp:mcp-1.0.2 in your client settings, then invoke scan tools against skill or server directories.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is Skill Audit MCP for?

When should I use Skill Audit MCP?

How do I add Skill Audit MCP to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is Skill Audit MCP for?

When should I use Skill Audit MCP?

How do I add Skill Audit MCP to my agent?