Verification Process

Every artifact on Skill Shope goes through automated security verification before it becomes visible to the community. No exceptions.

How it works

  1. Submission — A publisher submits a skill, MCP server, or agent via the web form, JSON upload, or API. The listing enters a pending state.
  2. Automated scan — Our security pipeline runs immediately. No AI tokens, no manual review queue. Pure pattern-matching and API verification.
  3. Scoring — Each artifact receives a security score from 0 to 100 based on the checks that pass or fail.
  4. Decision — Based on the results:
    • Approved — all checks pass, visible to the community
    • Flagged — some concerns detected, held for admin review
    • Rejected — critical security issues found, not published

What we check

Content security

We scan all submitted content (SKILL.md files, config files, install commands) for:

  • Arbitrary code execution patterns
  • Shell command injection
  • Data exfiltration attempts (unauthorized network requests)
  • Credential harvesting (references to SSH keys, API tokens, cloud credentials)
  • Obfuscated or encoded payloads
  • Crypto mining code
  • File system abuse (writing to system directories)

Source verification

When a source URL is provided, we verify:

  • The repository or package actually exists and is publicly accessible
  • The repository has a recognized open-source license
  • The owner account is established (not brand new)
  • The repository is actively maintained (not archived or abandoned)

Package verification (npm)

For npm-hosted tools, we confirm the package exists on the public registry and check for known vulnerabilities.

Security scores

ScoreBadgeMeaning
90–100100All checks passed. Safe to install.
70–8985Minor warnings (e.g., missing license). Generally safe.
0–6945Significant concerns detected. Review carefully before installing.

For publishers

To maximize your security score:

  • Include a license file in your repository (MIT, Apache 2.0, etc.)
  • Keep your repository public and actively maintained
  • Avoid shell execution patterns in skill content
  • Don't reference credential files or environment variables
  • Don't include encoded or obfuscated content

Verified publisher badge

In addition to automated security checks, publishers can earn a verified publisher badge. This is a manual review by the Skill Shope team confirming the publisher's identity and track record. Contact ryan@skillshope.com to request verification.

Your responsibility

Automated verification catches known patterns, but no system is perfect. Always review source code before installing third-party tools. If you find a security issue, report it immediately. We take every report seriously.