FAQ

Common questions about SkillOx. If yours isn't here, email hello@skillox.io — we respond in days, not weeks.

Frequently asked

Is SkillOx free?
The anonymous web scanner, the public catalog, the OSS CLI, the GitHub Action, the badges, and the RSS feeds are all free. The Pro tier ($19 / user / mo) unlocks semantic prompt-injection probes, the WebAssembly sandbox (planned), continuous re-scan, and compliance PDF exports. See /docs/pro for what each tier covers; /pricing for the live comparison + checkout.
Do I need an account to use anything?
Only for the creator portal (submit + manage your own skills) and the Pro tier. The scanner, catalog, CLI, GitHub Action, and badges all work anonymously. Sign-in is GitHub OAuth — we ask for read:user + user:email only, no repo access.
What does the scanner actually do?
17 rules covering hardcoded-secret references, prompt-injection patterns, URL exfiltration, dangerous shell commands, filesystem overreach, undeclared network egress, repo-provenance signals (young repo, force pushes, single-contributor), capability-manifest omissions, anchor-href mismatches, and Unicode homoglyph squatting. Each finding maps to CWE. Full ruleset at /docs/rules.
How accurate is the grade?
High-precision, lower-recall by design. When the scanner says a skill is critical, it usually is — but we miss patterns that need LLM-based detection. Pro tier adds semantic probes (10 shipped today across env-var-exfil, attacker-egress, instruction-override, and capability-bypass; expanding over time) that close the recall gap. See False positives for how to report misgrades.
Does SkillOx execute the skill at scan time?
No. Today it's static analysis only — we read the markdown + frontmatter and pattern-match. No execution, no sandbox. The WebAssembly capability-scoped sandbox is planned (Pro tier) and will run skills with declared capabilities enforced at runtime.
Do you store the SKILL.md content I scan?
For anonymous scans — yes, we keep the parsed result + the source URL so the Report Card stays viewable. Anonymous scan rows auto-delete after 30 days via a nightly TTL job. Creator-claimed scans persist indefinitely so the public catalog stays browseable. Full breakdown at /docs/security.
Where is my data hosted?
Hetzner, Finland (Helsinki). Postgres + Redis + the web stack live on one box, with daily encrypted backups to Backblaze B2 EU. Cloudflare handles TLS + Turnstile + CDN at the edge. No AWS, no US data residency, no third-party analytics. See /docs/security for the long answer.
How did you build the catalog?
Four sources: GitHub Code Search (size-band-partitioned to bypass the 1k-results-per-query cap), the ClawHub public REST API, the Skills.sh sitemap, and creator submissions. Each adapter's mechanism + permission story is documented at /docs/sources. Nothing scraped, no private data, no auth tokens with repo access.
My skill shouldn’t be in the catalog — how do I get it removed?
Two options. Sign in via GitHub OAuth, claim the listing on its Report Card (your GitHub username has to match the source-repo owner), and click Remove listing on the dashboard — gives you a permanent owner relationship so the catalog tracks your removal request even if the skill is re-discovered. Or email takedowns@skillox.io for cases where claim verification isn't possible. 24-hour turnaround either way.
What URLs can I scan?
Any HTTP(S) URL that returns markdown with valid SKILL.md frontmatter. GitHub /blob/ URLs auto-convert to raw.githubusercontent.com. Skills.sh, ClawHub, and any direct-link to a raw .md file all work.
How do I run SkillOx in my CI?
Drop the GitHub Action into .github/workflows/skillox.yml — two lines of YAML. Or for non-GitHub CI, hit POST /scan/bulk directly with the file contents in the request body. The Action annotates findings inline on the PR's Files-changed tab and blocks the merge when any grade drops below your threshold.
Can I show the grade in my README?
Yes — shields.io-style SVG badges at https://api.skillox.io/badge/<skill-name>.svg. Drop into Markdown / HTML / reST. Copy-paste snippets pre-filled on every Report Card; full reference at /docs/integrations/badges.
Can I get an RSS feed of new findings?
Two feeds. /feed/critical.xml for the D+F discoveries (security folks, AppSec teams), or /feed/index.xml for the full firehose. Standard RSS 2.0; auto-discovery via the <link rel="alternate"> tags in the head.
Can I self-host the whole stack?
Yes — Apache-2.0 end-to-end. Three depths: CLI-only (one binary), scanner-as-library (@skillox/scanner in your own Node app), or full stack (web + api + worker + Postgres + Redis on one box). Walkthrough at /docs/self-hosting.
I found a vulnerability in SkillOx itself. Where do I report it?
Email security@skillox.io with the reproducer. We respond within 24 h, fix critical issues within 7 days, credit you in the changelog. Full disclosure policy at /docs/disclose.
Who’s behind SkillOx?
Atomira Technologies S.L., a Spanish company incorporated in Barcelona in April 2026. Single founder, bootstrapped through Q1 2027. See /manifesto for the "why".

Still stuck?

Email hello@skillox.io with the scan ID and a short description. Faster paths for specific cases: