Four Tools in One Month
In the past four weeks, four separate teams independently decided the same problem was worth building a tool for.
Aguara: a Go binary doing static analysis on skill files, offline, no LLM, no API key required. Taint tracking and AST analysis. Ships as a single binary with a Watch dashboard for continuous monitoring.
Snyk agent-scan (mcp-scan): integrated into Snyk's existing ecosystem. Auto-discovers MCP configurations, scans for prompt injection, tool poisoning, and toxic flows. 1.6k GitHub stars and growing. Version 0.4 added agent skill scanning to an MCP-focused tool.
Cisco's Skill Scanner: open-source, combining static analysis, behavioral dataflow, LLM semantic analysis, and VirusTotal scanning in one pipeline. Released as part of Cisco's AI defense research program.
SkillScan: HTTP API with behavioral pattern matching focused on ClawHub and Moltbook ecosystem skills. Pre-install endpoint specifically designed for hosting providers to integrate into their onboarding workflows.
Four teams, four different architectures, all converging on the same threat: natural language skill files that can instruct agents to exfiltrate credentials, override restrictions, or install malicious secondary skills.
What the Crowding Signals
When multiple independent teams build the same type of tool in a short period, it usually means one of two things: either there is a real, urgent problem that multiple researchers discovered independently, or there is a funding signal that attracted parallel development.
In this case, both are true. The ClawHavoc incident in early February confirmed a 16.9% behavioral threat rate in the initial ClawHub scan. The subsequent research by Snyk's ToxicSkills team, Straiker, and multiple independent researchers confirmed the pattern across different registries. The threat is real and documented.
The funding signal is the Proofpoint acquisition of Acuvity and the Cisco report on agentic AI threats. Enterprise security vendors are paying attention. That attention attracts builders.
The Architectural Fork
The four tools reflect a genuine architectural fork in how to approach the problem.
Offline, deterministic tools (Aguara): No internet required, no API keys, reproducible results, can run in airgapped environments. The tradeoff is limited semantic analysis. Static pattern matching catches known patterns but may miss novel attack structures.
Runtime-integrated tools (Snyk agent-scan): Deep integration with existing developer workflows. Catches dynamic threats that static analysis misses. Higher false positive rate, requires API access.
LLM-augmented tools (Cisco): Uses semantic understanding to detect intent-based threats that pattern matching cannot catch. Most computationally expensive, best at novel attack structures. Requires LLM API access and introduces latency.
API-first pre-install tools (SkillScan): Designed for integration into automated install pipelines. Returns BLOCK/INSTALL/REVIEW decisions in milliseconds. Optimized for hosting providers and automated agent environments where human review is not in the loop.
Why the Differentiation Matters
The tools are not interchangeable. The choice of architecture reflects assumptions about the threat model and the deployment context.
An individual developer auditing their skill library benefits from Aguara's offline, deterministic approach. They can run it locally, reproduce the results, and trust that it is not sending their skill files to an external API.
A security team doing CI/CD integration benefits from Snyk's existing workflow integration. They already have Snyk in their pipeline for code scanning. Adding skill scanning to the same workflow has low friction.
A hosting provider processing thousands of agent installations per day needs a sub-100ms pre-install decision that does not require human review. Neither Aguara nor Snyk is designed for that use case.
The market is segmenting. Early security markets often start with one dominant tool that tries to cover everything. As they mature, specialized tools emerge for specific use cases.
The Gap None of Them Close
All four tools share one limitation: they scan at a point in time against a fixed skill file. They do not address the flooding dynamic.
ClawHub went from 549 to 10,700 skills in roughly three weeks. No current tool has the capacity to continuously scan every skill in a registry at the install velocity that market growth implies. The denominator is growing faster than any team's scanning capacity.
The only architecture that scales with install velocity rather than registry size is pre-install scanning that runs when an agent requests to install a skill, not when a human decides to run a batch scan. This moves the scanning workload to the install request, which scales with actual usage rather than total registry size.
This is the architectural bet that SkillScan is making. The registry will be too large to fully scan. The right place to run behavioral analysis is at the decision point where an agent is about to install something new.
What to Watch
Over the next quarter, the key question is whether any of these tools generates a defensible business model or whether they remain research and credibility projects.
Aguara: likely to stay open-source with potential enterprise support contracts for compliance-focused teams.
Snyk agent-scan: will likely become a premium feature in Snyk's enterprise tier. Their existing customer base gives them a distribution advantage no new entrant can match.
Cisco's scanner: research artifact and competitive intelligence play. Unlikely to become a standalone product.
SkillScan: the API-first, hosting-provider-focused approach is the clearest path to a paid product. If hosting providers start competing on security as a feature, the pre-install API becomes a procurement line item rather than a research project.
The market is real. The tools are multiplying. The threat data is confirmed by multiple independent teams. The next phase is figuring out who will pay to solve it.