What this search usually needs
An agent skill provenance scanner answers a simple install-review question: where did this skill come from, who changed it, what can it touch, and what changed since the version your team already trusts? The intent behind this search is usually defensive and practical. Teams want a clear install decision, not a vague security lecture.
Where it applies
- A developer finds a useful skill on GitHub and wants to check whether the repository, fork chain, license, and recent commits are trustworthy.
- An enterprise IT reviewer needs a repeatable intake flow before adding a skill to an internal allowlist.
- A skill author wants a shareable report that proves the package has clear provenance and bounded permissions.
How to run the review
- Upload a skill directory or paste a GitHub URL.
- Resolve repository metadata, author signals, fork relationship, version tags, license, and recent change activity.
- Extract SKILL.md instructions, referenced scripts, declared tools, network dependencies, and file write scope.
- Compare the current version with a baseline or previous release.
- Export a trust report with provenance graph, permission inventory, risk badges, and review notes.
Common risks to catch
- Forked skills can inherit reputation from the original repository while adding risky local changes.
- A clean SKILL.md can still reference scripts that request credentials or perform network calls.
- Unknown license or ownership history can block enterprise adoption even when the skill appears useful.
Use SkillProvenance Scan for this review
SkillProvenance Scan turns this review into a guided console with provenance graph, permission diff, injection scan, allowlist status, and Team annual checkout for full reports.