Skip to Content
Free during beta·npx -y @inkog-io/cli scan .·Get API Key →
CLISkill Scan

Skill Scan

Scan SKILL.md packages, agent tools, and local MCP servers for security vulnerabilities. The skill-scan command analyzes skill definitions and their implementations for issues like unsafe tool usage, missing input validation, and privilege escalation risks.

Usage

# Scan current directory as a skill package
inkog skill-scan .
 
# Scan a local MCP server directory
inkog skill-scan ./my-mcp-server
 
# Scan a skill from a repository URL
inkog skill-scan --repo https://github.com/org/repo
 
# Deep scan (auto-detects git remote from local directory)
inkog skill-scan --deep .
 
# Deep scan from repository URL
inkog skill-scan --deep --repo https://github.com/org/repo

Options

OptionDescription
--repo <url>Repository URL to scan (GitHub, GitLab, Bitbucket)
--deepRun advanced orchestrator-based analysis (requires Inkog Deep role)
--output <format>Output format: text, json, html, sarif
--policy <preset>Security policy preset: low-noise, balanced, comprehensive, governance, eu-ai-act

When --deep is used without --repo, the CLI auto-detects the git remote URL from the target directory. This means you can run inkog skill-scan --deep . and the CLI will find the remote automatically.

Deep Scan Flow

When running with --deep, the skill scan uses a different API flow:

  1. The CLI uploads the skill package to the server
  2. The server triggers POST /v1/scan/skills/{scanID}/ai for orchestrator-based analysis
  3. The CLI polls GET /v1/scan/skills/{scanID} until analysis completes
  4. Results include the same enriched output as a Deep Scan — agent profile, compliance coverage, and extended findings

Examples

Scan a Local Skill Package

# Scan with default settings
inkog skill-scan ./my-skill
 
# Scan with JSON output for CI/CD
inkog skill-scan -output json ./my-skill > skill-results.json
 
# Scan with HTML report
inkog skill-scan -output html ./my-skill > skill-report.html

Scan from a Repository

# Scan directly from GitHub
inkog skill-scan --repo https://github.com/org/my-agent-skill
 
# Deep scan a remote repository
inkog skill-scan --deep --repo https://github.com/org/my-agent-skill
Last updated on
Deep ScanMCP Scan