How SkillTotal analysis works

Detection is pure static analysis — regular expressions plus AST parsing. Your code is never executed and the engine never calls an LLM, so results are reproducible and there is no risk in scanning something dangerous. The same open-source engine runs on the website and locally via pipx install skilltotal.

A confirmed finding always points at a file, a line range, and the exact snippet. Signals that cannot be anchored to evidence are surfaced separately as "needs review" and never affect the score. Everything is derived only from the component's own files — never from your environment.

The report separates malicious indicators — deliberate deception such as tool poisoning, hidden-Unicode smuggling, prompt injection, and decode-and-execute — from powerful capabilities like filesystem, network, and shell access, which are often legitimate. Only malicious indicators and genuinely risky constructs drive the risk score, so the scanner does not cry wolf.

Install-time execution, obfuscated decode-and-execute droppers, credential and secret exfiltration (sensitive-data access combined with network egress), dangerous MCP tools and tool poisoning, prompt injection — including homoglyph, full-width and zero-width obfuscation — unsafe deserialization, and sensitive-path access.

SkillTotal performs static security analysis of AI components — MCP servers, agent skills/plugins, npm and PyPI packages, and AI-generated projects. The engine combines capability analysis, dangerous-pattern detection, privilege analysis, supply-chain (install-time) analysis, prompt-surface analysis, and data-flow correlation (secret access combined with network egress). Findings are mapped to risk categories and contribute to a 0–100 risk score; capabilities are reported but never inflate it — capability ≠ risk.

Legend: ✅ analyzed by default for this component type · ⚠️ the engine detects this, but the surface is uncommon for this type — so it is flagged only when the component actually contains it (e.g. prompt-injection text inside an npm/PyPI package) · ❌ not applicable to this type · 🚧 planned (SkillTotal Cloud).

Columns are the component types SkillTotal scans. AI project = a scanned repository or folder — an agent skill/plugin, an AI-generated codebase, or a set of prompts/configs — that is not a published npm/PyPI package.

• An MCP tool can execute arbitrary shell commands
• A package downloads and runs code from an external URL
• Access to credential locations (~/.aws, ~/.ssh, .env) detected
• Dynamic code execution (eval / exec) detected
• Prompt-injection / instruction-override phrasing in a tool description or skill
• Sensitive-data access combined with outbound network egress
• Hardcoded API keys or tokens
• An MCP server with auto-approved or overprivileged tools

SkillTotal statically analyzes a single component's own files. It does not execute code, observe runtime behavior, or assess your environment, deployment, or infrastructure. It is not a substitute for:

• a penetration test
• an application-security (app-sec) review
• an architecture / design review
• a cloud-security or infrastructure assessment
• a Kubernetes / container runtime audit
• a business-logic review
• a manual code review

Runtime behavior and sandbox analysis are planned for SkillTotal Cloud.

The number that matters for a scanner is how often it cries wolf. In the latest calibration run (engine 0.10.1, ruleset 11, 2026-06-14) SkillTotal raised zero false-malicious verdicts across the 37 most-popular MCP servers and zero across 18 trusted, widely-used npm/PyPI packages. Powerful but legitimate capabilities — filesystem, network, shell — are reported, never scored as malicious.

On detection, the engine flags every malicious archetype in its open test set: instruction override, MCP tool-poisoning, hidden-Unicode (ASCII smuggling), decode-and-execute droppers, install-time and postinstall credential exfiltration, import-time stealers, and typosquat droppers. We report detection as archetype coverage rather than a single percentage — real registry malware is taken down quickly, so a live network "detection rate" is noisy, and we will not headline a number that flatters us for the wrong reason.

It is reproducible. The engine, fixtures, and harness are open source (Apache-2.0): run the deterministic floor with pytest tests/test_offline_calibration.py, or re-run the real-world corpus with fetch_corpus.py then calibrate.py. A false-positive gate (benign false positives must stay zero) runs before every release.

Every report exports to JSON and to SARIF 2.1.0, so you can wire SkillTotal into code scanning and CI alongside your other tools.