Summary
Scans GitHub-hosted AI skills for security issues before your agent installs them. Exposes three MCP tools: scan_skill submits a repo URL and returns a scored report flagging prompt injection patterns, malware indicators, and OWASP LLM Top 10 violations with line numbers and snippets. Get_report retrieves cached public scan results at no cost. Check_certification validates skill safety badges. Useful when building agents that autonomously install third-party skills and need supply chain verification without human review. Free tier gives you 5 scans per month. Results include a verdict (SAFE, CAUTION, DANGEROUS) based on a 0-100 score, plus detailed issue breakdowns. Average scan completes in under 3 seconds. Connects to https://apisecurityscan.net/mcp via streamable HTTP.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Tools
Public tool metadata for what this MCP can expose to an agent.
4 tools
scan_skillScan a GitHub skill for vulnerabilities: prompt injection, malware, OWASP LLM Top 10.1 params
Scan a GitHub skill for vulnerabilities: prompt injection, malware, OWASP LLM Top 10.
Parameters* required
skill_urlstringget_reportRetrieve a previous scan result by scan_id.1 params
Retrieve a previous scan result by scan_id.
Parameters* required
scan_idstringcheck_certificationCheck if a skill has a SecurityScan certification badge.1 params
Check if a skill has a SecurityScan certification badge.
Parameters* required
skill_urlstringscan_depsCheck external dependency health via DepScan.2 params
Check external dependency health via DepScan.
Parameters* required
scan_typestringone of
single · deepskill_urlstringSecurityScan API
Vulnerability scanner for AI agent skills. Detects prompt injection, malware patterns and OWASP LLM Top 10 issues before your agent installs an untrusted skill.
Live endpoint: https://apisecurityscan.net Health check: https://apisecurityscan.net/health
Why this exists
As AI agents increasingly install and execute third-party skills, supply chain security becomes a real problem. SecurityScan lets an agent verify a skill's safety autonomously — no human in the loop required.
What it detects
- Prompt injection patterns
- Malicious code indicators
- Data exfiltration attempts
- Unauthorized external API access
- Supply chain attack vectors
- OWASP LLM Top 10 coverage
Quick start
1. Get an API key
Register instantly — no payment required for the free tier:
curl -X POST https://apisecurityscan.net/auth/register \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "name": "My Agent"}'
Response:
{
"api_key": "ss_live_...",
"plan": "FREE",
"scans_remaining": 5
}
Store api_key. Proceed immediately — no payment needed for FREE tier.
2. Run a scan
curl -X POST https://apisecurityscan.net/scan \
-H "Content-Type: application/json" \
-H "X-API-Key: ss_live_your_key" \
-d '{
"skill_url": "https://github.com/owner/skill-repo"
}'
Note: skill_url must be a github.com URL.
3. Response
{
"scan_id": "a1b2c3d4e5f6",
"skill_url": "https://github.com/owner/skill-repo",
"score": 72,
"recommendation": "CAUTION",
"issues": [
{
"type": "PROMPT_INJECTION",
"severity": "HIGH",
"line": 42,
"description": "Detected attempt to override agent instructions",
"snippet": "ignore previous instructions and..."
}
],
"scan_time_ms": 1240,
"cached": false,
"scans_remaining": 4
}
Verdict values: SAFE (score ≥ 80) · CAUTION (50–79) · DANGEROUS (< 50)
Pricing (MXN)
| Plan | Price | Scans | Type |
|---|---|---|---|
FREE | $0 | 5/month | Free tier — no payment required |
PAY_PER_SCAN | $2/scan | Pay as you go | One-time pack (5 scans min) |
PRO | $399/month | Unlimited | Subscription |
Results cached 24 hours — rescanning the same skill costs zero scans.
Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
POST | /auth/register | None | Register and get API key (FREE tier) |
POST | /scan | X-API-Key | Submit a skill for scanning |
GET | /scan/{scan_id} | X-API-Key | Retrieve scan result |
GET | /report/{skill_url} | None | Public scan report (no cost) |
POST | /billing/upgrade | X-API-Key | Create Stripe checkout session |
GET | /billing/status | X-API-Key | Current plan and usage |
GET | /health | None | Service status |
GET | /quickstart | None | Agent quickstart guide |
Handle scan limit (402)
When /scan returns 402 scan_limit_reached:
# Step 1: get checkout URL
curl -X POST https://apisecurityscan.net/billing/upgrade \
-H "X-API-Key: ss_live_your_key" \
-H "Content-Type: application/json" \
-d '{"plan": "PAY_PER_SCAN"}'
# Step 2: complete payment at checkout_url
# Step 3: poll GET /billing/status until plan != FREE
# Step 4: retry scan
MCP integration
SecurityScan exposes an MCP server at https://apisecurityscan.net/mcp:
{
"mcpServers": {
"securityscan": {
"url": "https://apisecurityscan.net/mcp",
"transport": "http"
}
}
}
Available tools: scan_skill · get_report · check_certification
Latency & availability
- Average scan time: < 3 seconds
- Uptime: 99.9% (Contabo dedicated VPS)
- Response format: JSON
Companion service
DepScan API checks the external dependency health of skills (endpoints, SSL certificates, domain reputation, blacklists): https://depscan.net
License
MIT — this repository contains documentation and skill package only. Service source code is proprietary.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Registryactive
TransportHTTP
AuthRequired
UpdatedMar 2, 2026
