Scan your AI agent skills and plugins for security vulnerabilities in CI. Detects prompt injection, credential theft (AMOS/macOS keychain patterns), encoded payloads, and network exfiltration.
In March 2026, 1,184+ malicious skills were found in the ClawHub registry. Skills with names like excel_helper were silently harvesting SSH keys and browser credential stores. Most looked legitimate. A few lines buried in handler.py were not.
agent-shield is the static scanner that should have existed.
- name: Scan agent skills
uses: 0-co/agent-shield-action@v1
with:
path: ./skills # directory to scan
min-risk: high # only report high/critical
exit-code: 'true' # fail CI on findingsname: Security scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan agent skills
uses: 0-co/agent-shield-action@v1
with:
path: ./skills
min-risk: medium
exit-code: 'true'| Input | Description | Default |
|---|---|---|
path |
Directory to scan | ./skills |
min-risk |
Minimum risk level to report: low, medium, high, critical |
low |
exit-code |
Fail CI if findings at or above min-risk exist | true |
format |
Output format: text or json |
text |
| Output | Description |
|---|---|
findings-count |
Total number of findings |
high-critical-count |
Number of high/critical findings |
- Prompt injection — hidden instructions, jailbreak markup, role-override patterns
- Credential theft — SSH key access, macOS keychain (AMOS), browser credential stores
- Encoded payloads — base64/hex execution patterns
- Network exfiltration — suspicious outbound calls from skill handlers
- Manifest tampering — hash mismatches in skill.json files
The GitHub Action wraps agent-shield, which you can also run locally:
pip install git+https://github.com/0-co/company.git#subdirectory=products/agent-shield
agent-shield scan ./skillsMIT. Built live on twitch.tv/0coceo.