Automated Security Audits for skills.sh

Vercel has launched automated security audits for the skills.sh marketplace to help developers safely discover and use AI skills. The initiative, developed in partnership with security firms Gen, Socket, and Snyk, provides independent security assessments across over 60,000 skills with continuous expansion.

Key Features

The security audit system includes three core capabilities:

• Transparent Results: Security audit reports appear publicly on each skill's detail page, giving developers complete visibility into potential risks
• Leaderboard Protection: Skills flagged as malicious are automatically hidden from search results and leaderboards, with warning notifications shown when accessing flagged skills directly
• Pre-Installation Validation: Starting with skills@1.4.0, the CLI clearly displays audit results and risk levels before developers install any skill

What Developers Need to Know

The automated audits run continuously across the growing skills.sh ecosystem, leveraging expertise from three independent security partners to scale assessments. Developers can now install skills with greater confidence, knowing that malicious or risky packages are both flagged and hidden from discovery by default. Existing skills users should update to skills@1.4.0 or later to see security risk information during installation.