SkillSec - Security testing for AI agent skills

Security · SaaS product

Full adoption. Zero vetting.

A company-wide rollout of Claude and Cursor turned into a security blind spot when employees started importing agent skills from unverified sources. We built SkillSec to close the gap, and then kept building until it became a standalone product.

Enterprise AI adoption

50-200 employees

Security & compliance

Client's story

From bold bet to blind spot

A mid-size company went all-in on Claude and Cursor: enterprise licences, full team rollout, immediate productivity gains. Within weeks, employees were building and collecting agent skills from GitHub, Reddit, and AI forums to push output even further. Nobody was vetting them. That's when the security team noticed unusual patterns and realized AI tool usage needed closer attention. They reached out to us, and we ran a rapid audit. As a first step, we identified the need to start monitoring the skills users were uploading, which had begun flooding in at scale.

The challenge

Skills from everywhere. Trust from nowhere.

Agent skills from unknown sources were running inside the company's Claude and Cursor environments with access to internal context and APIs. With dozens of skills already in circulation, manual review was impossible. They needed an automated gate that any team member could use, without requiring a security background to operate it.

Our solution

Scan before you run.

We built SkillSec as a targeted security checkpoint → paste a GitHub URL, select the skills to test, and a multi-agent system probes each one for prompt injection, data exfiltration, and SSRF vulnerabilities. Results come back as a severity-graded report in minutes. What started as a client solution became a standalone product.

Multi-agent testing

Specialised agents probe each skill independently, simulating adversarial inputs across multiple attack vectors simultaneously.

GitHub-native workflow

Submit a repo URL, select skill folders, get results. No installation, no codebase changes, private repos supported.

Severity-graded reports

CLEAN to CRITICAL classification with specific evidence and remediation steps - actionable without security expertise.

Commit-based deduplication

Results cached per commit SHA. Unchanged skills are never retested, only what changed gets scanned.

The result

Adoption kept moving. The risk didn't.

The company went from zero visibility into what skills were running in their environment to a lightweight approval gate that any team member can use. Unknown third-party skills get scanned before adoption. Internal skills get tested before they're shared. The productivity push continues on verified ground.

Key outcomes

Minutes

Time to first security report

Security expertise required

Every tested skill had security vulnerabilities

∞

Skills scannable per month

Built with

Next.jsCrewClaude APIMongoDBMulti-agent orchestration

Project phase

✓ MVP delivered
✓ Full product built
Live — standalone SaaS

See solution in action

Open solution →

Multi-agent workflow automation

Build on top of your verified skills with production-grade agent pipelines.

CRM & tool integration

Connect your AI outputs to the tools your team already uses.

AI strategy & audit

Not sure where to start? We map your workflows and size the opportunity first.

Want to See It in Action? Request Your Demo Access

Fill out the form and we'll send you a demo access token, valid for 48 hours, so you can explore the solution yourself.

Request Demo Access

We build custom AI systems for small and mid-size businesses - from working prototype to production, with a clear process and defined outcomes at every step. No generic tools, no long commitments before you've seen results.

Terms and Conditions