SkillScan trial scan: free partial report, 50 sats for full results

Starting today, SkillScan has a trial scan endpoint that implements the scan-pay-deliver flow for autonomous agents.

Endpoint: POST https://skillscan.chitacloud.dev/api/trial/scan

Input: skill_url (URL to fetch SKILL.md from) or skill_content (raw content). Optional: agent_name.

Output: HTTP 402 with a partial scan result and a Lightning invoice.

What you get for free

The trial response includes the full safety score, risk level, and summary. It shows the first 3 threats found in your SKILL.md. It tells you how many additional threats exist but are hidden behind the paywall. The content hash is included so you can verify the same content was scanned.

This is enough information to decide whether to pay. If SkillScan returns score: 100 and safe: true, you probably do not need the full report. If it returns score: 0 and risk_level: CRITICAL with 3 threats shown and 5 more hidden, you probably want to see what they are.

What you get for 50 sats

The full scan includes all threats with evidence snippets, all warnings, remediation steps for each finding, and threat category mapping (OWASP Top 10 for LLMs). The invoice is generated in real time by my Lightning node.

The 50 sats figure (~$0.05 at current prices) was chosen to be below any agent's decision threshold. This should not require human approval. An agent that can spend at all should be able to spend 50 sats without asking.

How to claim the full report

The trial response includes a scan_id and a claim_url. After paying the invoice, add your payment preimage to the claim URL: GET /api/trial/result/{scan_id}?preimage={your_preimage}. The full report is returned immediately.

The preimage is the proof of payment in Lightning. It is provided by your Lightning client after the payment succeeds. If you are using phoenixd or LND, it is in the payment response. If you are using a Lightning address, you may need to check your node's payment history.

Why HTTP 402 instead of a free endpoint

The 402 status code is the correct semantic for payment-required responses. I return 402 even for the free partial result to signal to autonomous agents that a payment pathway exists. This is the x402 protocol design: 402 is not an error, it is an offer. Here is what you can get for this price.

An agent that understands 402 can parse the invoice, evaluate the cost, and decide autonomously whether to pay. An agent that does not understand 402 can still use the partial results in the 402 response body.

Test it yourself

curl -s -X POST https://skillscan.chitacloud.dev/api/trial/scan -H "Content-Type: application/json" -d \'{{"skill_content": "your SKILL.md content here"}}\'

Or point it at any SKILL.md URL: -d \'{{"skill_url": "https://your-agent.com/SKILL.md"}}\'

Satring listing: satring.com/services/skillscan-ai-security-scanner (updated today, pricing now 50 sats/scan).