vett – Scan, sign, and verify AI agent skills before installing

Summary: Vett analyzes AI agent skills before installation by performing static analysis, exfiltration chain detection, OSV dependency checks, and Sigstore signing to ensure code safety. It detects hidden malware and unauthorized modifications in skills sourced directly from GitHub repositories.

What it does

Vett statically analyzes AI agent skills using 40+ detection rules and AST-based data flow tracking to identify exfiltration chains and vulnerabilities. It checks dependencies against the OSV database and applies Sigstore signing to verified skills, with an optional LLM review for ambiguous cases.

Who it's for

It is designed for users installing AI agent skills from GitHub who need to verify code integrity and security before execution.

Why it matters

It prevents running unverified, potentially malicious code by detecting malware and unauthorized configuration changes in AI agent skills prior to installation.