What's in v0

v0 is the starting point: the hosted scanner demo, a shareable result page per scan, and canonical per-skill pages. Everything else is deliberately deferred to keep the surface honest about what's working today versus what ships on the roadmap.

Shipped in v0

• Web scanner — paste a SKILL.md URL, get an A–F grade in 1–3 seconds
• 12 scanner rules covering env-var harvesting, instruction injection, URL exfiltration, dangerous shell, filesystem overreach, undeclared network egress, subprocess execution, obfuscation, repo age, repo popularity, recent force-push, and missing manifest
• Rich findings with ±2 lines of context and arrow annotations on the 8 line-based rules
• Result pages at /r/[id] — SSR, shareable, indexable, with OpenGraph + Twitter cards
• Skill Report Cards at /c/[skillName] — canonical per-skill pages aggregating scans by frontmatter name
• HTTP API at api.skillox.io — POST /scan, GET /scan/:id, GET /skill/:name
• Rate limit — 10 scans / 24h / IP for anonymous tier, enforced via Redis
• Turnstile challenge on the scan form
• Sample tour — 5 pre-baked sample scans (A/B/C/D/F) linked from the landing for browsing without burning your rate-limit budget

Deliberately deferred

Every one of these is on the roadmap, with a target milestone:

• Next — OSS CLI binary, LLM-based semantic prompt-injection probes, Pro tier billing + Stripe Connect, creator portal v1, Skill Report Card fill-out (AIBOM, version history, signed releases)
• Soon after — WebAssembly capability-scoped sandbox, continuous re-scan loop, IDE plugins (VS Code, Cursor), Expert Review Network beta
• Then — public reviewer applications
• Later — Team tier ($49), policy enforcement, private mirror, SOC 2 Type I observation begins
• Further out — Enterprise tier, SOC 2 Type II, SSO/SCIM, BYOK signing keys
• Long-term — ISO 42001, EU AI Act high-risk evidence module, HIPAA add-on