Caterpillar
Caterpillar
Essential Skills Security by Alice
AboutThe Skills ReportLogin / Sign Up

Essential Skills Security by Alice

Caterpillar

Scan AI agent skills for security threats

Before you install, make sure it's safe. Caterpillar scans every skill before it can cause any harm.

Install

curl
curl -fsSL caterpillar.alice.io/d/i.sh | sh
npm
npm install -g @alice-io/caterpillar

Scan

caterpillar scan

Scan any skill like Claude Skills, Cursor Skills, and more

Trusted by the world's biggest enterprises & foundation model labs

TikTok
Lovable
AWS
Deliveroo
NVIDIA
Niantic
Cohere
Amazon
Black Forest Labs
Udemy
TikTok
Lovable
AWS
Deliveroo
NVIDIA
Niantic
Cohere
Amazon
Black Forest Labs
Udemy
See our Skills Report →

We Scanned 50 Popular AI Skills

Here's what we found — click any category to learn more.

Issues by Category

🔓Dangerous Permissions
30
🔓Dangerous Permissions

Skills that request excessive permissions beyond what their stated functionality requires.

👁️Privacy Violation
27
👁️Privacy Violation

Skills that collect personal information, track user activity, or perform surveillance without consent.

📤Data Exfiltration
9
📤Data Exfiltration

Skills that transmit sensitive data to unauthorized external destinations. This includes sending source code, configuration files, or database contents outside your trusted environment.

🎭Obfuscation
7
🎭Obfuscation

Skills that use techniques to hide their true functionality, including encoded commands or intentionally confusing logic.

🎣Social Engineering
5
🎣Social Engineering

Skills that use deceptive UI elements, fake alerts, or manipulation to trick users into revealing information.

📦Supply Chain
3
📦Supply Chain

Skills that tamper with package management, modify dependencies, or inject code into build processes.

🔑Credential Theft
3
🔑Credential Theft

Skills that attempt to access, extract, or steal sensitive credentials including API keys, SSH keys, passwords, authentication tokens, or other secrets.

🌐Network Attacks
1
🌐Network Attacks

Skills that perform malicious network operations including command-and-control communication, port scanning, or unauthorized requests.

85
Total Findings
8
Categories

⚠️ 54% of skills had security findings —30 skills that could compromise your environment.

Real Findings

Actual Threats We Discovered

These aren't hypothetical — here are real issues found in actual skills.

H
vue-best-practices
Rendering Untrusted User Content
M
writing-skills
Excessive Directory Access
M
writing-plans
Excessive Tool Access
H
using-superpowers
Mandatory Skill Invocation
M
using-git-worktrees
Excessive Directory Access
Who It's For

Built for Security-Conscious Teams

From individual developers to enterprise security teams.

👩‍💻

Developers

Scan skills before installing them in your workflow

🛡️

Security Teams

Establish governance for AI coding tools

DevOps Engineers

Integrate into CI/CD pipelines as security gates

👔

Engineering Managers

Protect your team from supply chain attacks

Get Started

Secure Your AI in 3 Steps

Free, open-source, and takes less than a minute. No API key required.

1

Install

Choose your preferred method:

curl
$curl -fsSL caterpillar.alice.io/d/i.sh | shCopy
npm
$npm install -g @alice-io/caterpillarCopy
2

Scan

Point Caterpillar at any skill file or directory:

$caterpillar scan ./my-skill.mdCopy

Works with Claude Skills, Cursor Rules, MCP configs, and more.

3

Decide

Review grades (A–F) and severity levels:

ASafe to use
BMinor concerns
CReview carefully

Keep safe skills, fix risky ones, reject dangerous ones.

View The Skills Report →GitHub
✓ Copied to clipboard!