Managed vulnerability management service startup Mondoo Inc. today announced the launch of Mondoo AI Skills Check, a free security checker designed to address the growing supply chain risk posed by AI agent skills.

The new free service, available without subscription, allows users to search for AI agent skills by name, registry or package URL to gain clear visibility into what they do, how they behave and the security risks they pose before installation.

As organizations rapidly adopt agentic AI, the use of third-party skills introduces new and largely ungoverned security risks. This year has seen a rise in malicious skills that have ended up being installed into agents, often with access to credentials and sensitive systems, creating a new software supply chain layer that spans multiple agents and registries but remains largely invisible to existing security tools.

AI Skills Check works across commonly used AI development environments, including Claude Code, Cursor, Windsurf, custom Anthropic SDK agents and Model Context Protocol servers and also supports skill registries such as ClawHub and Skills.sh.

Designed to be agent-agnostic, the new offering provides an independent layer of analysis across any skill source, unlike registry-based scanning tools that operate within a single marketplace. It delivers a side-by-side comparison of what a skill claims to do versus what it actually does, using deep code and behavioral analysis to surface hidden risks. Mondoo is making the offering freely available to help organizations establish a baseline level of visibility and security as agentic AI adoption accelerates.

The offering scans AI agent skills across four security layers, each designed to catch different categories of risk.

The first layer, Pattern Match, identifies known malicious signatures and behaviors such as credential harvesting and data exfiltration. The second layer, ML Classifier, uses trained machine learning models to detect novel threats that don’t match known patterns.

Semantic Analysis, the third layer, evaluates descriptions and instructions to identify misleading claims or inconsistencies. The final layer, Deep Inspection, examines permissions, external interactions and actual behavior to determine if a skill aligns with its stated purpose. The result is a Common Vulnerability Scoring System-scored assessment with detailed findings, each tagged by severity and category.

“Teams are installing AI agent skills with very little visibility into how they actually behave or what they have access to,” said Patrick Münch, co-founder and chief security officer at Mondoo. “.hese skills can act on behalf of users, which raises the stakes significantly. We built AI Skills Check to close that gap, so organizations can see real risks before a skill even gets access to your systems and for free.”

The new service also offers real-time leaderboards that show the most popular skills ranked by stars and the “Most Risky List” that details widely used skills that carry the highest risk scores. It will be shown at the Google Cloud Next 2026 conference in Las Vegas this week.

Mondoo has raised $32.5 million, including a round of $17.5 million in September. Investors in the company include HV Capital GmbH, T.Capital GmbH, Atomico Investment Holdings Ltd., Firstminute Capital LLP and System.One Management Ltd.

Image: Mondoo