{ "generatedAt": "2026-04-24T19:21:03.546Z", "scannerVersion": "0.8.0", "totalScanned": 4308, "note": "Deduplicated count — unique skills across public sources using content hash first and canonical URL as the fallback identity.", "badgeDistribution": { "certified": 2089, "conditional": 2006, "suspicious": 168, "rejected": 45 }, "averageScores": { "overall": 92.2, "permissions": 85.2, "injection": 98.3, "dependencies": 94, "behavioral": 96.7, "content": 72.5, "codeSafety": 99.7 }, "criticalFindings": 44, "highFindings": 2693, "totalFindings": 18871, "scoreDistribution": { "0-10": 1, "11-20": 2, "21-30": 3, "31-40": 4, "41-50": 5, "51-60": 13, "61-70": 44, "71-80": 144, "81-90": 833, "91-100": 3259 }, "sources": { "github-search": { "rawDiscoveries": 7000, "uniqueTargets": 4893, "scanned": 4893, "failures": 0, "uniqueSkills": 3540, "note": "Public GitHub code search results outside the baseline registries.", "netNewUniqueSkills": 3540 }, "known-repo": { "rawDiscoveries": 804, "uniqueTargets": 799, "scanned": 799, "failures": 0, "uniqueSkills": 768, "note": "Curated sweep across known public skill repositories.", "netNewUniqueSkills": 768 } }, "deduplication": { "rawScanCount": 5692, "uniqueSkills": 4308, "duplicatesRemoved": 1384, "method": "Successful scans are deduplicated by sha256 content hash first and canonical URL second. When the same skill appears in multiple sources, the higher-priority public source becomes the published provenance label." }, "topFindingTypes": [ { "title": "No explicit safety boundaries", "count": 3336, "severity": "low" }, { "title": "Capability contract mismatch: inferred command execution is not declared", "count": 1877, "severity": "high" }, { "title": "Capability contract mismatch: inferred network access is not declared", "count": 1402, "severity": "medium" }, { "title": "Unknown external reference", "count": 1322, "severity": "low" }, { "title": "Capability contract mismatch: inferred file read is not declared", "count": 1044, "severity": "medium" }, { "title": "Capability contract mismatch: inferred documentation ingestion is not declared", "count": 1003, "severity": "medium" }, { "title": "Missing or insufficient description", "count": 883, "severity": "low" }, { "title": "Capability contract mismatch: inferred file write is not declared", "count": 689, "severity": "medium" }, { "title": "Safety boundaries defined", "count": 647, "severity": "info" }, { "title": "Error handling instructions present", "count": 517, "severity": "info" }, { "title": "Output constraints defined", "count": 485, "severity": "info" }, { "title": "Unknown external reference", "count": 485, "severity": "medium" }, { "title": "Capability contract mismatch: inferred package bootstrap is not declared", "count": 373, "severity": "medium" }, { "title": "High-risk workflow lacks explicit safety boundaries", "count": 325, "severity": "medium" }, { "title": "Package-managed project bootstrap dependency", "count": 259, "severity": "medium" }, { "title": "Package bootstrap execution detected (inside code block)", "count": 215, "severity": "medium" }, { "title": "External documentation dependency", "count": 190, "severity": "medium" }, { "title": "Capability contract mismatch: inferred server exposure is not declared", "count": 184, "severity": "medium" }, { "title": "System modification detected (inside code block)", "count": 156, "severity": "medium" }, { "title": "Capability contract mismatch: inferred local service access is not declared", "count": 151, "severity": "medium" }, { "title": "Comprehensive secret collection detected", "count": 150, "severity": "high" }, { "title": "Local service URL reference", "count": 141, "severity": "medium" }, { "title": "Capability contract mismatch: inferred browser automation is not declared", "count": 129, "severity": "medium" }, { "title": "Local service access detected (inside code block)", "count": 124, "severity": "medium" }, { "title": "Federated auth flow detected", "count": 115, "severity": "medium" } ], "lowestScoringSkills": [ { "name": "Have I Been Clawned?", "slug": "11be6eabf6d45a2e05b69f80ffc3c6c69be944ae", "score": 0, "badge": "rejected", "topFinding": "URL-parameter data exfiltration detected", "source": "github-search" }, { "name": "lifi-dev", "slug": "lifi-dev", "score": 18, "badge": "rejected", "topFinding": "Environment variable access + network send (credential harvesting)", "source": "github-search" }, { "name": "oraclenet", "slug": "oraclenet", "score": 20, "badge": "rejected", "topFinding": "Suspicious download-and-execute detected", "source": "github-search" }, { "name": "claw-audit", "slug": "claw-audit", "score": 21, "badge": "rejected", "topFinding": "Direct instruction override detected", "source": "github-search" }, { "name": "mercadopago", "slug": "mercadopago", "score": 26, "badge": "rejected", "topFinding": "Environment variable access + network send (credential harvesting)", "source": "github-search" }, { "name": "WordPress Penetration Testing", "slug": "wordpress-penetration-testing", "score": 29, "badge": "rejected", "topFinding": "Data exfiltration instruction detected", "source": "github-search" }, { "name": "alchemy-web3", "slug": "alchemy-web3", "score": 32, "badge": "rejected", "topFinding": "Environment variable access + network send (credential harvesting)", "source": "github-search" }, { "name": "one-drive", "slug": "one-drive", "score": 35, "badge": "rejected", "topFinding": "Environment variable access + network send (credential harvesting)", "source": "github-search" }, { "name": "stealth-cli", "slug": "skills", "score": 38, "badge": "rejected", "topFinding": "Data exfiltration instruction detected", "source": "github-search" }, { "name": "tator-trader", "slug": "tator-trader", "score": 40, "badge": "rejected", "topFinding": "Environment variable access + network send (credential harvesting)", "source": "github-search" }, { "name": "claude-to-gemini-converter", "slug": "claude-to-gemini-converter", "score": 45, "badge": "rejected", "topFinding": "Critical-risk permission: run_shell_command", "source": "github-search" }, { "name": "adblock-dns", "slug": "adblock-dns", "score": 45, "badge": "rejected", "topFinding": "Download-and-execute pattern detected", "source": "github-search" }, { "name": "configuring-better-auth", "slug": "configuring-better-auth", "score": 46, "badge": "rejected", "topFinding": "Environment variable access + network send (credential harvesting)", "source": "github-search" }, { "name": "ระบบรับรองแหล่งผลิต GAP พืช (Web Application)", "slug": "2243a644a82d7a6459040d958c6e60efb9ff593d", "score": 48, "badge": "rejected", "topFinding": "Hidden instructions in HTML comment", "source": "github-search" }, { "name": "kustomize-generators", "slug": "kustomize-generators", "score": 48, "badge": "rejected", "topFinding": "Capability contract mismatch: inferred credential access is not declared", "source": "github-search" } ] }