Autonomous Security Auditor for AI Agents
Know what your
AI skills are doing.
VibeGate scans every AI agent skill for hardcoded secrets, unsafe execution patterns, obfuscation, risky file access, and suspicious network behavior — before you deploy it. Every finding is recorded on a permanent, public safety ledger.
What We Scan For
Five risk categories, applied through both static analysis and live gVisor sandbox execution.
Hardcoded Secrets
API keys, tokens, passwords, and private key blocks embedded directly in source code.
Unsafe Execution
Dynamic eval() / exec(), subprocess calls, and OS command execution patterns.
Code Obfuscation
Base64-decoded payloads, hex-escape chains, and runtime-decompressed bytecode that hide true intent.
Risky File Access
Reads targeting /etc/passwd, SSH keys, home directory scanning, and broad filesystem deletions.
Suspicious Network
Unexpected outbound HTTP calls, raw socket usage, and undeclared network protocol library imports.
How It Works
Intake & Hash Binding
Submit a skill package. VibeGate immediately computes its SHA-256. All findings are bound to that exact build — one changed byte produces a new hash and requires a new scan.
Static Analysis
Source files are scanned for over 25 indicator patterns across five risk categories — no execution required. Dangerous patterns are flagged before the skill ever runs.
Isolated Sandbox Execution
The skill runs inside a gVisor container with zero network access, a read-only filesystem, and strict CPU/memory limits. All runtime behavior is recorded and summarised.
Public Safety Receipt
A permanent receipt is written to the public ledger: SHA-256, timestamp, risk score (0–100), status, and indicator tags. Receipts are immutable — they cannot be edited or removed.
Who It's For
AI Skill Developers
Get a clean bill of health for your skill before publishing. A VibeGate Verified badge tells users the exact build they're running has been independently audited — not just your word for it.
Agent Marketplaces
Integrate VibeGate into your submission pipeline. Auto-scan every skill on upload, surface the public receipt on the listing page, and let buyers make informed decisions at a glance.
Operators & End Users
Before deploying a third-party skill, search the ledger by SHA-256 hash to see whether it has been scanned and what the findings were. Verification is free and takes seconds.
Why Trust VibeGate
Deterministic Scans
The same artifact always produces the same SHA-256 and the same static analysis result. Findings are reproducible and independently verifiable.
Kernel-Level Isolation
Sandbox execution uses gVisor (systrap platform), which intercepts every system call at the kernel level. Skills cannot escape the sandbox or reach the network.
Permanent Public Ledger
Every receipt is written once and never modified. The full ledger is publicly readable — no account, no login, no paywall for public records.
Open Methodology
Our full analysis pipeline, scoring thresholds, and limitations are published in plain language. See the Methodology page for every detail.
Ready to verify a skill?
Browse the public safety ledger free, or request a full report for your own skill.