Mondoo Launches Worlds First Free AI Skills Security Checker To Address Emerging Supply Chain Risks In Agentic AI

The first-of-its-kind agent-agnostic security checker helps organizations identify hidden risks in AI agent skills across registries before deployment

SAN FRANCISCO, April 21, 2026 (GLOBE NEWSWIRE) -- Mondoo, the pioneer in agentic vulnerability management services, today announced the launch of Mondoo AI Skills Check, a free, agent-agnostic security checker designed to address the growing supply chain risk posed by AI agent skills. With the free service, available without a subscription, users can search for AI agent skills by name, registry, or package URL (PURL) to gain clear visibility into what they do, how they behave, and the security risks they pose before installation.

As organizations rapidly adopt agentic AI, the use of third-party skills introduces a new and largely ungoverned security risk. Just this year, researchers identified 1,184 malicious skills on ClawHub, the largest public registry for AI agent skills, many of which were publicly available for download prior to detection. These skills are installed into agents and can then execute actions on behalf of users, often with access to credentials and sensitive systems. This creates a new software supply chain layer that spans multiple agents and registries but remains largely invisible to existing security tools.

Designed to be agent-agnostic, AI Skills Check works across commonly used AI development environments, including Claude Code, Cursor, Windsurf, custom Anthropic SDK agents, and MCP servers. It also supports major skill registries such as ClawHub and Skills.sh, with additional integrations underway. Unlike registry-based scanning tools that operate within a single marketplace, AI Skills Check provides an independent layer of analysis across any skill source. It delivers a side-by-side comparison of what a skill claims to do versus what it actually does, using deep code and behavioral analysis to surface hidden risks. Mondoo is making AI Skills Check freely available, with no subscription required, to help organizations establish a baseline level of visibility and security as agentic AI adoption accelerates.

“Teams are installing AI agent skills with very little visibility into how they actually behave or what they have access to. These skills can act on behalf of users, which raises the stakes significantly,” said Patrick Münch, Chief Security Officer and Co-Founder at Mondoo. “We built AI Skills Check to close that gap, so organizations can see real risks before a skill even gets access to your systems, and for free.”

Mondoo AI Skills Check scans AI agent skills across four security layers, each designed to catch different categories of risk:

• Pattern Match, which identifies known malicious signatures and behaviors such as credential harvesting and data exfiltration;
• ML Classifier, which uses trained machine learning models to detect novel threats that don't match known patterns;
• Semantic Analysis, which evaluates descriptions and instructions to identify misleading claims or inconsistencies;
• Deep Inspection, which examines permissions, external interactions, and actual behavior to determine if a skill aligns with its stated purpose.
  

The result is a scored assessment with detailed findings, each tagged by severity and category. The findings map to MITRE ATLAS and align with the OWASP LLM Top 10, giving security teams a clear, industry-standard view of AI risk, grounded in the frameworks auditors, regulators, and practitioners already rely on.

In addition, Mondoo AI Skills Check’s real-time leaderboards show the Most Popular skills ranked by stars, and the Most Risky list, detailing which widely used skills carry the highest risk scores. It's a fast way to audit what users are likely already using, regardless of which AI agent they run.

This new service expands Mondoo’s ability to deliver vulnerability management capabilities and services to organizations that wish to prioritize remediation with confidence, streamline compliance conversations, and demonstrate a rigorous, defensible security posture for their digital infrastructure, from development through production.

For more information, visit https://mondoo.com/ or find Mondoo at Google Cloud Next 2026, Booth 2411, in Las Vegas.

About Mondoo

Mondoo’s Agentic Managed Vulnerability Service, a combination of local expert security professionals and a proven AI-native platform, delivers the outcomes security professionals need, helping them transition out of the endless cycle of scanning and reporting and into actual remediation. Trusted by more than 300 customers worldwide, including Fortune 50 companies, Mondoo prioritizes risks by business impact and exploitability, collects structured, context-aware data from the entire IT infrastructure, and provides actionable remediation guidance, including automation code and ready-to-approve pull requests, that eliminates vulnerabilities rather than just categorizing them.

Mondoo's customers have reduced vulnerabilities by 60%, achieved mean-time-to-remediation under 16 days, and accelerated remediation 10x faster than manual approaches. With seamless ITSM integrations, transparent security pipelines, and guaranteed outcomes, Mondoo bridges the gap between security and engineering to fix what matters most to the business.

Media Contact

Elle Mullen

Marketbridge for Mondoo

Mondoo@marketbridge.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/bb46f54f-5d91-4c91-90f8-07f091172632