Agent skills bundle npx, pip install, shell commands, and URL fetches that LLMs can hallucinate into malware. Beepack Scan catches hallucinated packages, typosquats, and malicious URLs before you run them.
Agent skills are downloaded from community marketplaces (sickn33's 1400+ skills, lobehub, Claudepluginhub) and run blindly. Some of them reference npm or pip packages that don't exist - a prime typosquatting vector.
"The LLM invents a plausible-looking package name, the skill ships it as a real install command, and the first person who registers that name on npm owns every machine that runs the skill." - paraphrased from Aikido Security
GitHub repo, raw SKILL.md, gist, or drop the file. We fetch the markdown and all referenced .sh / .py / .js scripts.
https://github.com/user/my-skill
Every npx, pip install, shell command, URL, and import goes through the real npm registry, PyPI, URLhaus, RDAP, and a typosquat detector. No LLM. Reproducible.
npm registry + URLhaus + RDAP
RED blocks obvious threats (hallucinated packages, URLhaus matches, distance-1 typosquats). YELLOW flags possibles. GREEN means every reference resolves to a real, popular target.
RED / YELLOW / GREEN
Concrete attack patterns, not vibes.
The skill runs npx @anthropic/skill-runner but the package doesn't exist on npm. First squatter to register it owns every install. We hit the npm registry for every reference and block on 404.
Levenshtein distance ≤ 1 from a top-10k package that does exist. expresss vs express, reqeusts vs requests. Clear intent to deceive.
A URL in the skill (or in a curl/wget) appears on the URLhaus blocklist of known-malicious hosts. Updated daily.
Commands that fetch scripts from ngrok.io, trycloudflare.com, pastebin.com, or other ephemeral hosts. Legitimate use exists, but it's a common exfiltration + payload delivery vector.
Domain age under 30 days via RDAP. Young domains are disproportionately malicious; we flag so you know the skill's dependencies are brand new.
Patterns like stripe-js when stripe is popular. Distance 2-3 matches. Confidence calibrated conservatively to avoid false positives.
Paste a URL, get a verdict, share the scan. Zero setup.
https://beepack.ai/scan
Pipe into a pre-install hook. Exit codes: 0 / 1 / 2 for green / yellow / red.
npx @actabi/beepack scan <url>
Expose scan_skill as an MCP tool Claude Code can call mid-conversation.
claude mcp add beepack
Run the scan on every push. Status check on PRs for skill repos.
actabi/beepack-scan@v1
Live-updating SVG badge in your README so users see the current verdict.
Subscribe to a skill. Alert when a scan turns RED because an upstream dep changed.
beepack watch <url>
Deterministic checks, open source, no data kept beyond the scan result. If you publish skills, a verified badge is one click away.
Open the scanner →