I built a CLI tool to scan AgentSkills (SKILL.md format) before installing them. Works with OpenClaw/ClawHub, Claude Code, Cursor, and any AgentSkills-compatible platform. Given the ClawHavoc campaign and reports of 26% of skills containing vulnerabilities, I wanted a quick gut check before installing anything.

It runs four analysis layers: permission audit, prompt injection detection, code analysis via TypeScript AST, and cross-reference checks for permission mismatches.

Zero config, zero API keys, one command: npx acidtest scan ./my-skill

https://github.com/currentlycurrently/acidtest