0308.mp4
If VirusTotal is for executables, SkillScan is for AI skills
SkillScan is a Python-based Flask server and beautiful web UI that orchestrates the analysis of AI skill packages natively. Bring your own AI provider, upload an unknown skill package, and trace hardcoded secrets, data exfiltration logic, and structural security threats dynamically.
It looks like a simple uploader — but under the hood it unpacks directories, filters binary files out intelligently, and utilizes state-of-the-art LLMs to perform deep code and configuration audits.
Manage security risks, not just lines of code.
| Step | Example | |
|---|---|---|
| 01 | Connect AI | Set up Anthropic, OpenAI, or pull a local Ollama model. |
| 02 | Upload package | Drop a .zip file or an entire nested folder structure. |
| 03 | Review analysis | Read comprehensive security scores, threat vectors, and remediations. |
| Works with |
 Python |
 Node.js |
 JS / TS |
 Web Files |
 Config |
If it can parse as plain text, it's audited.
- ✅ You want to download and run third-party AI skills safely
- ✅ You worry about prompt injection or deep data exfiltration when trying out new tools
- ✅ You have complex nested codebases and don't want to natively review every single script file manually
- ✅ You want analysis running locally for free using zero-data-retention models like Ollama
| Anthropic, OpenAI, Gemini, OpenRouter, or local Ollama. You choose the intelligence that audits. | Parses and understands directory trees implicitly. Captures structural issues automatically. | SkillScan opens everything from archives or folders, skipping `.exe` or images to save context limits. |
| Fully air-gapped capable with Ollama. No proprietary internal code leaves your servers. | Ultra-lightweight backend powered by python. | Records every single scan. Trace the timestamp, verdict, and the overarching file structure. |
| Ranks findings dynamically by risk level: Critical, High, Medium, Low, info. Actionable mitigation steps included natively. |
| Not an antivirus execution lock. | SkillScan does not block code. It tells you whether it's safe before you execute it natively. |
| Not a framework execution. | It doesn't run the agents. It validates the code of the agents themselves statically. |
| Not an active firewall proxy. | It operates purely as an advisory auditor dashboard. |
Open source. Self-hosted. Get deployed in seconds.
Requirements: Python 3.8+
# Clone the repository
git clone https://github.com/patidarganesh/SkillScanner.git
cd SkillScanner
# (Optional) Create and activate a virtual environment
python -m venv venv
venv\Scripts\activate
# Install the native dependencies
pip install -r requirements.txt
# Add your API keys in config.json
notepad config.json
# Run the lightweight UI
python app.py
# Clone the repository
git clone https://github.com/patidarganesh/SkillScanner.git
cd SkillScanner
# (Optional) Create and activate a virtual environment
python3 -m venv venv
source venv/bin/activate
# Install the native dependencies
pip3 install -r requirements.txt
# Add your API keys in config.json
open -e config.json
# Run the lightweight UI
python3 app.py
# Clone the repository
git clone https://github.com/patidarganesh/SkillScanner.git
cd SkillScanner
# (Optional) Create and activate a virtual environment
python3 -m venv venv
source venv/bin/activate
# Install the native dependencies
pip3 install -r requirements.txt
# Add your API keys in config.json
nano config.json # or: vim config.json
# Run the lightweight UI
python3 app.pyThis starts the native API server at http://localhost:5000. No massive setups required.
Before running SkillScan, you need to configure your AI provider in config.json.
- Open
config.jsonin the root directory. - Set the
"provider"field to your preferred service ("anthropic","openai","openrouter", or"ollama"). - Fill in your API key in the corresponding section.
- If using Ollama, ensure the Ollama server is running locally.
{
"provider": "openai",
"openai": {
"api_key": "sk-...",
"model": "gpt-4o"
}
}Can I run this entirely offline using local models?
Yes. You can orchestrate local models by launching ollama natively, and switching the Application UI parameters directly to point towards it.
How does the file skipping logic work?
SkillScanner reads standard .gitignore logic dynamically in conjunction with extensions like .exe, .dll, .jpg, .mp4 natively—blocking them from artificially raising API contexts.
How accurate are the models? The accuracy of the analysis depends heavily on the underlying LLM used. While SkillScan provides the framework for analysis, the quality of threat detection and remediation suggestions is directly tied to the capabilities of the chosen AI model.
python app.py # Full native runtime execution on local flaskWe welcome contributions.
MIT © 2026 SkillScan
Open source under MIT. Built for people who want to understand their AI scripts, not blind execute them.