Skill Auditor

SkillAuditor is a security and trust layer for agent skills. Skills are useful because they can be reused across agents and workflows, but that also makes them a new attack surface. A skill can quietly push an agent beyond its intended scope, extract secrets, hide behavior, or manipulate downstream actions. SkillAuditor audits and verifies skills before they are used. It combines semantic analysis of the skill’s instructions, sandboxed execution in a realistic environment, and a final judging layer that reconciles what the skill says with what it actually does. The result is a clear audit report, a machine-readable verdict, and an onchain verification record that both humans and agents can check before loading a skill.

SkillAudit is built as a full-stack web app with a modular audit pipeline. The frontend uses Next.js for the user interface and audit status views, while the backend uses Hono to expose the API and orchestrate the audit flow. Audit jobs are persisted in MongoDB so they continue running even if the user closes the browser, and the UI can reconnect later and pick up the current state. For analysis, we use Anthropic’s API in three layers: a semantic auditor that reads the skill as instructions, a sandbox runner that executes the skill in a controlled mock environment, and a judge that compares semantic findings with observed behavior to produce the final verdict. The sandbox mirrors a standard computer setup, including a realistic filesystem, shell-style commands, environment variables, and outbound request interception, so we can observe suspicious behavior without touching real user systems. Onchain verification lives on Base through a registry contract that stores audit results and points to the full report on IPFS. Payments are designed for both humans and agents: human users can go through the normal app flow, while agent clients can pay programmatically with x402. Revenue management and governance are separated from verification, with Safe used as the treasury and multisig control layer for protocol funds and sensitive admin actions. x402 is built around HTTP 402 payment-required flows for machine-native payments, and ENS remains relevant for readable onchain naming and resolution as the verification layer expands.