Security

How Skill Shope protects publishers and users.

Source verification

When a skill is published, we automatically verify the source URL:

• GitHub — confirms repo exists, is public, and accessible via GitHub API
• npm — confirms package exists on the npm registry
• Other URLs — confirms the URL is reachable

Verification status is shown in the admin panel. Admins can re-verify at any time.

Payment security

• Payments processed via Stripe Checkout — we never see or store card numbers
• Webhook signatures verified on every event
• Download tokens generated server-side with cryptographic randomness
• Constant-time token comparison to prevent timing attacks

Infrastructure

• HTTPS everywhere (Vercel automatic TLS)
• Security headers: CSP, X-Frame-Options, HSTS, X-Content-Type-Options
• Origin whitelist on redirect URLs (prevents open redirects)
• Rate limiting on all POST endpoints
• Input validation and HTML sanitization on all user-submitted content

Content policy

The following are prohibited:

• Malware, backdoors, or intentionally harmful code
• Skills that facilitate illegal activity, harassment, or abuse
• Spam, duplicate, or misleading listings
• Content that infringes on intellectual property
• Skills that collect user data without disclosure
• Fake reviews or manipulated ratings

Your responsibility

Skill Shope is a registry — we link to tools, we don't execute them. Always review source code before installing any third-party skill. Install at your own risk.