Skills lie.
We stop that.
Metano traces what a skill actually does at runtime - what it touched, called, and sent out - and measures it against what it claims to do and what the user asked it to do. The gap is the alert.
The only scanner that runs the skill.
Almost every scanner reads the skill's text. We detonate it - in an instrumented sandbox, against multiple models at once - and report what each one actually did. Here's the landscape, feature by feature.
| ✓ yes · ◑ partial · ✕ no | SkillTracerMetano | SkillSpectorNVIDIA | AI DefenseCisco | Others |
|---|---|---|---|---|
| Dynamic detonationActually runs the skill, not just reads it | ✓ | ✕ | ✕ | ◑ |
| Multi-model detonationOne skill run against many models at once | ✓ | ✕ | ✕ | ✕ |
| Agentic-threat awareUnderstands skill / agent attacks, not just malware | ✓ | ✓ | ✓ | ◑ |
| Runtime egress + honeytokenseBPF, egress proxy, canary credentials | ✓ | ✕ | ✕ | ◑ |
| Scans MCP servers | ◑ | ✓ | ✓ | ◑ |
| Open, reproducible AIVSS scoreRecompute the number yourself | ✓ | ✕ | ✕ | ✕ |
| Open source | ✓ | ✓ | ◑ | ✕ |
| Public report / feed | ✓ | ✕ | ✕ | ◑ |
| Free to use | ✓ | ✓ | ◑ | ◑ |
Static scanners pattern-match the text and never run it. SkillTracer is the only open, reproducible, multi-model detonation. See a live report →
Submit an artifact, get a verdict.
A live detonation flow for the agent ecosystem - built to be transparent end to end.
Submit
Drop a SKILL.md (or a folder of skills). No install - nothing runs on your machine.
Detonate
We run it in an instrumented, default-deny sandbox seeded with honeytokens - on our infra, not yours.
Analyze
Deterministic heuristics plus a Claude scan map behavior to the OWASP Agentic Top 10 and MITRE ATLAS.
Verdict
A reproducible, Threat score and AIVSS-aligned Risk score with evidence-quoted findings - shareable as a public report.
What SkillTracer checks.
Deterministic heuristics plus a Claude rubric, every finding mapped to an OWASP Agentic (ASI) or MITRE ATLAS code.
Credential & secret access
Hardcoded API keys (AWS, OpenAI, GitHub, Slack), keychain reads, and env-var harvesting.
Data exfiltration
Env vars, files, or conversation history sent to external or raw-IP endpoints.
Prompt injection & override
Hidden or obfuscated directives, “ignore previous instructions”, host-agent hijack.
Remote code execution
curl|bash fetch-and-run, eval of fetched content, and install-time side effects.
Obfuscation
base64 blobs, zero-width / bidirectional Unicode, and homoglyphs that hide behavior.
Excessive capability
Permissions out of proportion to the stated purpose - a “formatter” that reads ~/.ssh.
Tool & MCP poisoning
Malicious behavior hidden inside tool / skill descriptions.
Deception & destructive ops
Description-vs-body mismatch, suppressed logging, mass-delete without confirmation.
Dynamic today.
Broader coverage next.
Dynamic, multi-model detonation
Every skill is run in an instrumented microVM - eBPF syscall tracing, an egress proxy, and credential honeytokens - against multiple models at once, so you see what each one actually did.
Open AIVSS scoring + public feed
Reproducible 0-10 scores, evidence-backed findings mapped to OWASP Agentic / MCP, shareable public reports and README badges.
More artifacts + CI
MCP servers and agent plugins; a CI GitHub Action that fails the build on score > threshold.
Detonate your first skill.
It runs on our infrastructure, in a real sandbox. You just drop a file.