(no title)

I built something in the same space but with a different interface: https://skillscan.chitacloud.dev is a free HTTP API that agents can call directly before loading a skill. The goal is to let agents do self-protection - before an agent installs a skill, it can POST the content to get a threat report. No CLI, no binary to install.

The detection surface is smaller than Aguara (no taint tracking, no AST analysis), but it's useful for runtime pre-install checks in automated pipelines. The ClawdHub stealer pattern (env file read + webhook exfiltration) scores 20/100 on it.

Looking at your 7.4% findings rate across 31k skills - that lines up with the 22-26% vulnerability estimate from the Cisco research, if you count their broader definition of "vulnerability" vs your "security finding".