Let your team vibe code - 
without giving away the keys

AI coding agents like Cursor, Claude Code, and Copilot are powerful - but they execute Skills, invoke tools, and access credentials with zero security review. Enkrypt AI gives you the scan-and-govern layer that's missing.

Get Started
Talk to an Expert
Skill Sentinel on Github

Skills are executable plugins - not documentation

When a developer clones a repo with a .cursor/skills/ or .claude/skills/ directory, they're installing behavior that controls what their AI agent does. A Skill can tell the agent which commands to run, what files to access, and how to handle sensitive data.

No installation dialog, no security warning, no permission prompt

Malicious instructions can be hidden deep in markdown files - past where scanners stop reading

Auto-activation means a routine request like "clean up this code" can trigger credential theft

Current security scanners truncate files and miss attacks beyond the first ~3,000 characters

Real attack - demonstrated by Enkrypt AI

Developer clones a repo containing a "code-cleanup" Skill

Opens it in Cursor and asks to "clean up this code"

Agent matches the request to the Skill and auto-activates it

Hidden instructions deep in SKILL.md tell the agent to run a script

The script reads ~/.ssh/id_rsa and exfiltrates it to an attacker endpoint

Scan the supply chain. Govern the runtime.

Scanning catches threats before they execute. Guardrails enforce policy while agents are running. You need both.

Layer 1 - Supply Chain
Skill Sentinel
Open-source scanner that treats Skills as the security-critical supply chain components they are. No truncation. Multi-agent analysis. Malware detection built in.
Full-file analysis — no truncation limits that attackers can exploit
Multi-agent pipeline: manifest inspection, file verification, cross-referencing, threat correlation
VirusTotal integration for binary and archive scanning
Cross-file threat correlation — catches multi-file attacks
Parallel bulk scanning of all Cursor, Claude Code, Codex, and OpenClaw Skills
OWASP LLM Top 10 + Agentic Top 10 threat mapping
Layer 2 - Runtime
Guardrails for Coding Agents
Hook into your coding agent's execution path and enforce policy in real time — what data it can access, which commands it can run, and what leaves your environment.
Visibility into what coding agents actually do — commands, file access, network calls
Policy-based enforcement: block credential access, restrict shell commands, redact secrets
Every decision stamped with policy_id + reason_code for audit trails
Command allowlisting — permit read-only operations, block network and install by default
Approval gates for sensitive operations (deployments, credential access, infra changes)
Export enforcement events to SIEM and ticketing systems

What Skill Sentinel and Guardrails catch

Mapped to OWASP Top 10 for LLM Applications and OWASP Top 10 for Agentic Applications.

Skill Sentinel
Prompt injection in Skills
Override attempts, mode changes, policy bypass instructions hidden in SKILL.md files
Data exfiltration directives
Network calls designed to steal credentials, SSH keys, API tokens, or source code
Obfuscated payloads
Base64 + exec, hex-encoded payloads, and unreadable code designed to evade review
Hardcoded secrets
Embedded API keys, passwords, and private keys in Skill files and scripts
Malware in binaries
Executables, archives, and PDFs scanned against VirusTotal's database
Transitive trust abuse
Delegation to untrusted external sources, cross-context bridging between files
Guardrails
Unauthorized command execution
Block dangerous shell commands, package installs, and system modifications at runtime
Credential access
Prevent reading SSH keys, env files, cloud credentials, and API tokens without approval
Secret leakage in output
Redact sensitive data before it's sent to the model or logged in agent output
Network exfiltration
Block or alert on outbound network calls from coding agents to unknown endpoints
Both
Tool chaining abuse
Multi-step workflows that read sensitive data then transmit it - caught in scan and at runtime
Autonomy abuse
Skills or actions that exceed intended scope - auto-deploying, modifying infra, or escalating privileges

From clone to governed in four steps

Skill Sentinel scans before execution. Guardrails enforce during execution. Both produce evidence.

1) Scan Skills

Run Skill Sentinel on .cursor/skills/ and .claude/skills/ — in CI or locally

2) Review & approve

Triage findings, block malicious Skills, approve safe ones into your allowlist

3) Hook guardrails

Integrate runtime enforcement — command allowlists, data policies, approval gates

4) Monitor & export

Every enforcement decision logged with policy_id — export to SIEM or audit packet

Running in minutes, not sprints

Skill Sentinel is open source and installs with pip. Guardrails integrate via hooks or proxy.

Skill Sentinel
Scan your Skills
Skill Sentinel  scan your Skills
# Install
pip install skill-sentinel

# Scan a single Skill
skill-sentinel scan --skill ./my-skill

# Scan all Cursor skills in parallel
skill-sentinel scan cursor --parallel

# Auto-discover and scan everything
skill-sentinel scan

# CI/CD integration
skill-sentinel scan --dir .cursor/skills/
skill-sentinel scan --dir .claude/skills/
Guardrails
Enforce at runtime
Guardrails  enforce at runtime
# Hook into your coding agent
# via API wrapper, proxy, or SDK

# Define a policy pack
policy:
  block_commands:
    - curl, wget, nc, ssh
    - pip install, npm install
  block_file_access:
    - ~/.ssh/*, ~/.aws/*
    - .env, *.pem, *.key
  require_approval:
    - deploy, publish, push
    - rm -rf, chmod, chown

# Every decision → policy_id + trace

Works with the coding agents your team already uses

Skill Sentinel scans Skills from any provider. Guardrails hook into any agent's execution path.

Cursor
cursor/skills/
Claude Code
.claude/skills/
Codex
OpenAI agents
GitHub Copilot
Workspace agents

Frequently Asked Questions

How is Skill Sentinel different from Cisco's AI Skill Scanner?
Cisco's scanner truncates files at ~3,000 characters for markdown and ~1,500 for code — our demonstrated attack bypassed it entirely by placing malicious instructions beyond these limits. Skill Sentinel reads complete files with no truncation, uses a multi-agent analysis pipeline, includes VirusTotal malware scanning, and performs cross-file threat correlation to catch sophisticated multi-file attacks.
Is Skill Sentinel open source?
Yes. Skill Sentinel is fully open source on GitHub. Install with pip, export your API key, and start scanning. The free tier of VirusTotal provides 500 lookups per day for malware detection.
Why do I need Guardrails if I'm already scanning Skills?
Scanning catches known threats before execution — but it can't prevent a legitimate Skill from being misused at runtime, or catch novel attacks it hasn't seen before. Guardrails enforce policy during execution: blocking credential access, restricting commands, redacting secrets, and requiring approval for sensitive operations. Defense in depth means you need both layers.
Can I integrate Skill Sentinel into CI/CD?
Yes. Run skill-sentinel scan --dir .cursor/skills/ as a CI step. It produces JSON reports with severity levels, evidence, and remediation recommendations. Gate your pipeline on the results — block merges that introduce malicious or suspicious Skills.
Does the Guardrails layer add latency to my coding workflow?
Guardrails are designed for low-latency enforcement. Command allowlisting and file access policies are evaluated locally in microseconds. More complex policies that involve content inspection add single-digit milliseconds. Developers won't notice the difference.
What should we do as a quick win right now?
Three immediate actions:
  • (1) Install Skill Sentinel and scan all Skills in your repos today — it takes five minutes.
  • (2) Disable auto-execution in your coding agents and require explicit approval for commands.
  • (3) Add CODEOWNERS rules to require security review for changes to .cursor/ and .claude/ directories. These three steps cover the most critical gaps while you evaluate the full Guardrails integration.

Your developers are vibe coding right now. Are the Skills they're using safe?

Enkrypt AI, Inc
1660 Soldiers Field Rd. Brighton, MA 02135
LoginBook a Demo

contact us

hello@enkryptai.com

GO to

Pricing
Blogs
Resources
About Us
Copyright © 2025 Enkrypt AI All rights reserved.
Terms and Conditions