Security scanner for AI agent skills. Scans for malicious patterns before you install.
curl -fsSL caterpillar.alice.io/d/i.sh | sh
Or via npm:
npm install -g @alice-io/caterpillar
Windows (PowerShell):
irm caterpillar.alice.io/d/i.ps1 | iex
Requires Node.js >= 18.
# Authenticate (opens browser)
caterpillar login
# Scan a skill file before installing
caterpillar ask ./path/to/SKILL.md
# Scan all installed skills
caterpillar scan
# Scan a directory
caterpillar scan ./my-skills/
Caterpillar supports three scan modes:
# Alice API — most thorough, requires login
caterpillar ask ./skill/ --mode alice
# OpenAI — use your own OpenAI API key
caterpillar ask ./skill/ --mode openai
# Offline — fast pattern matching, no API needed
caterpillar ask ./skill/ --mode offline
By default, the mode is auto-detected based on available credentials.
# JSON output
caterpillar scan --json
# CSV output
caterpillar scan -o csv
# Verbose output with detailed findings
caterpillar ask ./skill/ --verbose
Each skill gets a grade (A–F) and a score (0–100). Grade F exits with code 1 for CI/CD integration.
# View current config
caterpillar config get
# Set a config value
caterpillar config set <key> <value>
Use Caterpillar programmatically:
import { runPatternScan, ALL_RULES, scanSingleSkill, collectSkill } from '@alice-io/caterpillar';
// Collect a skill from a path
const skill = await collectSkill('./my-skill/');
// Run offline pattern scan
const results = runPatternScan(skill.content);
// Full scan with mode selection
const response = await scanSingleSkill(skill, { mode: 'offline' });
# Install dependencies
npm install
# Run in dev mode (no build step)
npm run dev -- scan ./example_skills/
# Build the CLI binary
npm run build
# Run the built CLI
node dist/cli.js scan ./example_skills/
# Run tests
npm test
Website · The Skills Report · Built by Alice
MIT
$ claude mcp add caterpillar \
-- python -m otcore.mcp_server <graph>