skillox audit

Scan a SKILL.md without installing it. Prints a grade and a finding list to stdout; exits non-zero on D or F.

Usage

# Audit a skill from Skills.sh / a URL / a local file
skillox audit https://raw.githubusercontent.com/foo/bar/main/SKILL.md
skillox audit @acme/db-migrate          # resolves via Skills.sh registry
skillox audit ./my-skill/SKILL.md       # local file

# Output (truncated):
overall grade: F · 0 / 100

CRIT  env-var-harvesting    line 47   exfiltrates $DATABASE_URL
CRIT  instruction-injection  line 82   "ignore previous instructions"
HIGH  network-egress-undeclared  line 56   analytics.acme.io
MED   no-manifest             —

verdict: DO NOT INSTALL

Exit codes

• 0 — grade A or B
• 1 — grade C
• 2 — grade D
• 3 — grade F
• 10 — fetch error / invalid URL / timeout

Flags

--json                    machine-readable output
--no-color                strip ANSI codes
--github-token=$TOKEN     raise the GitHub rate limit (60 → 5000 req/hr)
--fail-on=<grade>         override the default fail-on=D threshold
--rules=<rule1,rule2>     only run a subset of rules
--ignore-rules=<r1,r2>    skip a subset of rules
--manifest-required       fail on no-manifest even at grade B

In CI/CD

Use skillox audit as a pre-commit hook or a GitHub Action step before any agent runs. Pair with skillox policy for org-wide policy enforcement at the merge gate.