SkillWatch

Watches the web pages your AI tools rely on and tells you when something changes. Catches some attacks, not all.

pip install skillwatch GitHub

Python 3.10+ · 5 dependencies · Apache 2.0 · v0.3.0

The problem

AI tools pull in instructions from web pages. Security scanners check the tools when they are installed, but the web pages those tools point to can be changed afterwards. The scanners do not re-check.

In June 2026, researchers showed that a fake AI tool could pass every major scanner by keeping its code clean, then swapping the URL content from legitimate documentation to malicious instructions after distribution.

SkillWatch watches those URLs periodically (via cron or CI). It complements existing scanners; it does not replace them.

13 pattern checks, zero infrastructure

Only newly added content triggers alerts, not things already on the page. These checks can be evaded. Review all alerts manually.

Critical

Prompt injection

32 patterns from the Agent Threat Rules project, covering 7 languages plus obfuscation tricks. Catches obvious phrasings like "ignore all previous instructions." Will not catch attacks phrased as polite requests, stories, or academic writing.

Critical

Exec commands

Flags new curl, wget, pip install, eval(), subprocess, powershell, and node -e commands in changed content.

Critical

Data URI embeds

Detects new iframes, embeds, and objects with data: URI payloads containing HTML or JavaScript.

Warning

Unicode lookalikes

Catches characters from other scripts (Cyrillic, Greek, Armenian) that look like Latin letters but are not. Uses the Unicode Consortium's official confusables database.

Warning

Credential keywords

Flags new references to api_key, token, password, .env, private_key, and similar terms that suggest credential harvesting.

Warning

Suspicious HTML

Flags new scripts that use eval, fetch, or access cookies. Also catches new iframes, meta refresh redirects, and hidden elements.

Quick start

# Install
pip install skillwatch

# Add URLs from a SKILL.md file
skillwatch add path/to/SKILL.md

# Run a scan
skillwatch scan

# Check alerts
skillwatch alerts

# Automate (every 4 hours via cron)
0 */4 * * * skillwatch scan --quiet --preset docs

# JSON output for webhooks, Slack, ntfy.sh
skillwatch scan --output json | curl -d @- ntfy.sh/alerts

How SkillWatch fits alongside other tools

It watches a different layer than existing scanners. Use them together.

Capability Snyk Agent Scan Cisco skill-scanner SkillWatch
Checks tool code and descriptions Yes Yes No
Watches external URLs for changes No No Yes
Tamper-evident, independently verifiable history No No Yes
Scheduled re-checking Enterprise only No Yes (cron/CI)
Prompt injection detection Yes (backend) Yes (YARA+LLM) Pattern-based (32 regex patterns; 75% recall, 50% vs evasive)
Free for individuals Yes Yes Yes
JSON output Yes No Yes
Works offline (no cloud service needed) No Yes Yes

Why trust SkillWatch

SkillWatch is built to be the boring, honest option in a crowded field.

Free, open source, runs on your laptop

Five dependencies. Zero infrastructure. Nothing sent externally. Apache 2.0.

View on GitHub