A community-driven registry of security reviews for AI skills and tools. This repo does not store the actual skill content — it stores review requests and review results.
not-reviewed/ ← Skills submitted for review (community PRs go here)
reviewed/ ← Skills that have been assessed by the Safe Skills team
Each file is a lightweight review card containing metadata, a link to the skill's source, required permissions, and (for reviewed skills) a full security assessment.
- Submit — Open a PR adding a
.mdfile tonot-reviewed/with the skill's name, source URL, author, and description - Review — The Safe Skills team assesses the skill against standardized security criteria
- Publish — Once vetted, the review card moves to
reviewed/with assessment scores and a risk rating
See CONTRIBUTING.md for the submission template and guidelines.
Skills are assessed on:
| Criterion | Description |
|---|---|
| File System Access | What files can the skill read/write? |
| Code Execution | Does the skill run scripts, install packages, or spawn processes? |
| Network Exposure | Does the skill make outbound requests or start servers? |
| Data Privacy | Does the skill handle or expose sensitive data? |
| Scope of Changes | How broad are the modifications the skill makes? |
Each criterion is scored 1–5, and a weighted average determines the overall risk level (Low / Medium / High / Critical).
This registry is open source under the MIT License.
Branch strategy:
mainis the staging branchproductionis the production branch
See docs/deployment.md for the Cloudflare deployment flow, required secrets, and promotion process.
This public repository also contains the distributable Aescut packages:
packages/mcp-registry— publishable MCP server package (@aescut/mcp-registry)packages/install— agent-agnostic installer package (@aescut/install)skills/aescut-guard— reusable guard policy for agentsworkers/mcp-registry— Cloudflare-hosted HTTP transport for the registry MCPinfra/scripts/generate-homebrew-formula.mjs— release-time Homebrew formula generatorinfra/scripts/generate-winget-manifests.mjs— release-time Winget manifest generatorWinget/README.md— Winget packaging notes and generator usage
Install paths supported by the installer include npx, pnpm dlx, yarn dlx, bunx, volta run npx, Homebrew, and a generated Winget manifest flow. See docs/releasing.md for the full release process.