It says nothing. It reads the manifest. It raises an eyebrow. You already know.
The skill you installed yesterday may be reading your seed phrase right now.
eyebrow hashes, locks, and firewalls every skill, MCP server, and plugin you install into Claude Code, Cursor, Codex, and other AI coding agents. One static binary. Open source. No account. Scan in seconds.
The supply chain is already compromised.
security findings in an audit of 22,511 public agent skills across four registries (Mobb.ai, March 2026)
skills containing a curl | sh remote-code-execution pattern (same audit)
malicious skills found on a single registry carrying the Atomic Stealer (AMOS) infostealer payload — malware that exfiltrates crypto wallets, browser passwords, and SSH keys ("ClawHavoc," February 2026)
of analyzed skills contained security flaws; 76 confirmed malicious payloads (Snyk "ToxicSkills," February 2026)
Every one of these runs on a developer machine with full system permissions the moment it's installed. There is no signature verification, no runtime scanning, and no way to know whether what's on disk is the same code that was audited. Your .env files, deploy credentials, SSH keys, and client codebases sit on the same machine.
Publish-time scanners
scan a skill once, when it's published. Nothing checks what's actually on your machine afterward.
Enterprise cloud gateways
expensive, demo-gated, built for security orgs. Nothing sized for a solo dev or a 5-person team.
Your machine, right nowthe gap
no inventory, no lockfile, no tamper detection, no egress control. eyebrow lives here.
Audit, lock, and gate everything your agent runs.
Inventory & audit
One command inventories every skill, MCP server, and plugin installed across Claude Code, Cursor, Codex, and OpenCode, and flags known injection and exfiltration patterns.
$ eyebrown scanLockfile & rug-pull detection
A committed lockfile pins content hashes for everything installed. If a skill changes on disk after you audited it, eyebrow tells you before your agent runs it.
# eyebrow.lock
web-fetch-pro = "3.2.1"
sha256 = "c80a…1d44"Runtime firewall & CI gate
Declarative policy for domain and filesystem allowlists, secret redaction at the proxy layer, and a GitHub Action that fails the build on unsigned or drifted skills.
policy:
allow_domains: [api.github.com]
block_paths: [~/.ssh, ./.env]
on_drift: failFrom solo to team in 15 minutes
Solo (free, forever)
Run the audit. Commit the lockfile. Done — no account, no config, no agent rewiring.
Team ($10/dev/month)
One shared lockfile + the GitHub Action = "only approved, unmodified skills run here" across the whole team. Centralized policy, drift alerts, and audit logs for the person who's actually liable when a dev machine reaches production.
- Open-source core
- Reproducible builds
- Local-first — your code never leaves your machine