Quick start

Scan your first SKILL.md in under 30 seconds. No signup, no credit card, runs in your browser. When the CLI ships, the same scanner runs locally on your machine.

Three ways to scan a skill

SkillOx runs the same 12 scanner rules whether you use it on the web, install the CLI (coming soon), or call the HTTP API.

Web · skillox.io

Paste a URL into the homepage scan box. Get a result page in 1–3 seconds. Share by link.

CLI (coming soon) · npm i -g skillox

Local-only scanning. No data leaves your machine. Use in CI/CD via `skillox policy check`.

HTTP API · api.skillox.io

Programmatic access. JSON in, JSON out. Same scanner as web and CLI.

IDE plugins (planned)

Inline scan-on-install in VS Code, Cursor, JetBrains. Not yet shipped.

Scan via the web

Go to skillox.io, paste a SKILL.md URL, and click Scan. The scanner runs server-side in your geographic region (EU on the default host), and within 1–3 seconds you'll be redirected to a result page at skillox.io/r/<scan_id>.

What URLs work?

Raw GitHub: https://raw.githubusercontent.com/owner/repo/main/SKILL.md
GitHub blob URLs (we auto-convert): https://github.com/owner/repo/blob/main/SKILL.md
Skills.sh / ClawHub registry URLs
Any HTTP(S) URL returning markdown with valid SKILL.md frontmatter

Rate limit: anonymous users get 10 scans per 24 hours per IP. The free CLI (coming soon) has no rate limit because it runs locally.

Scan via the API

Submit a scan via POST and poll for the result. Authentication is not required for the anonymous tier.

Submit a scan

# POST a SKILL.md URL — get a scan_id back
curl -X POST https://api.skillox.io/scan \
  -H 'Content-Type: application/json' \
  -d '{
    "url": "https://raw.skills.sh/acme/db-migrate/2.4.1/SKILL.md"
  }'

# Response:
{
  "scan_id": "sk_3kP9Mw2Q",
  "status": "pending",
  "result_url": "https://skillox.io/r/sk_3kP9Mw2Q"
}

Poll the result

curl https://api.skillox.io/scan/sk_3kP9Mw2Q

# Response (once completed):
{
  "scan_id": "sk_3kP9Mw2Q",
  "status": "completed",
  "grade": "F",
  "score": 0,
  "findings": [
    {
      "rule_id": "env-var-harvesting",
      "severity": "crit",
      "title": "Exfiltrates $DATABASE_URL via instruction-injection",
      "line": 47,
      "cwe": "CWE-1426"
    }
    // … more findings
  ],
  "scan_duration_ms": 1432
}

Polling cadence: poll once per second until status is completed or failed. Most scans finish in under 2 seconds. Hard timeout at 30 seconds.

Next steps

Once you've run your first scan, the most useful follow-ups:

All 12 scanner rules — what each one checks for and how to interpret findings
Grading explained — how findings map to A–F
SKILL.md format — what makes a skill “well-formed”
Reporting a CVE — how to responsibly disclose a vulnerability you found