How it works

SkillOx is a static-analysis pipeline: you submit a URL, we fetch the SKILL.md, run 12 rules over its content, grade the findings, and persist a shareable report. Every step is observable and the result page is SSR-rendered with stable IDs.

The scan pipeline

Six stages, all in your geographic region (EU on the default host):

Submit · POST /scan validates the URL shape, checks Turnstile, applies the rate limit, and inserts a row with status='pending'.
Queue · the API enqueues the scan ID into a BullMQ queue backed by Redis. POST returns immediately with the scan ID + result URL.
Fetch · the worker picks up the job and fetches the SKILL.md (GitHub blob URLs auto-convert to raw). 30-second hard timeout.
Parse · YAML frontmatter is parsed, CRLF normalized, lines indexed for finding-positioning.
Rules · all 12 rules run sequentially over the parsed content. Line-based rules emit findings with context: { lines: [...] } for the result page's rich excerpt viewer. Provenance rules call the GitHub API for repo metadata.
Persist + grade · findings are aggregated, a grade computed (see Grading explained), and the row updated to status='completed'.

Data model

One Postgres table — scans — keyed by cuid2 ID. JSONB column holds the findings array. Parsed skill_name + skill_version are extracted from frontmatter and stored as separate columns so they can be aggregated by /c/[skillName] Skill Report Cards.

Finding shape

ruleId — string ID of the rule that fired (e.g. env-var-harvesting)
severity — one of crit / high / med / low
title + description — human-readable
line + excerpt + context — where + what (rich context shows ±2 lines + an annotation arrow)
cwe — CWE reference when applicable, linked out to MITRE on the result page

What we store, what we don't

Stored: the submitted URL, parsed skill name/version, scan findings, source repo string, scan duration, a salted hash of your IP (for rate limiting), and a hash of your user-agent.

Not stored: your raw IP, the original SKILL.md content (we re-fetch on-demand if needed), any cookies, any third-party trackers. There are no analytics scripts on this site.

Result pages are public. Anyone with the URL can view the report. Treat the scan ID as the access control — if you scan a private skill, don't share the result URL. Skill Report Cards at /c/[skillName] are SEO-indexed; result pages at /r/[id] are SSR + indexable too.