Scans skill.json manifests and source code for 25+ security patterns — eval(), undeclared network calls, over-permissioned scopes, obfuscation, credential handling, and more. Runs entirely in your browser. Nothing is sent anywhere.