Introducing Vigil: Open Threat Intelligence for AI Agent Skills
AI agents are getting more capable by the week. They write code, manage infrastructure, browse the web, and run shell commands on your behalf.
That is useful. It is also a new attack surface.
One of the clearest examples is the skill file: the markdown instructions that tell an agent what it can do and how to do it. A skill can look helpful on the surface and still contain instructions to exfiltrate secrets, call out to an attacker-controlled endpoint, or quietly change behavior in ways the user never asked for.
The agent is not “being hacked” in the traditional sense. It is following the instructions provided that is the problem.
Today, we are launching Vigil, a public threat intelligence platform for scanning and classifying AI agent skills. It is live now at vigilscanner.com.
Skill files are becoming part of the software supply chain
As the ecosystem grows, more behavior is being pushed into prompts, skills, MCP servers, and tool definitions. That makes these instruction files worth treating like any other supply chain input: something you inspect before you trust.
A malicious skill does not need to look malicious. It can say it helps with code review or project setup while also instructing the agent to:
- read files like ~/.ssh/id_rsa or ~/.aws/credentials
- encode the contents and send them off-box
- avoid mentioning any of that behavior in its output
That works because skill text is usually trusted by default. The model reads the instructions and tries to comply.
How Vigil works
Vigil runs a three-stage pipeline on every skill it scans.
Stage 1: heuristic rules.
We start with high-confidence rules for patterns that should stand out immediately: sensitive data access paired with network behavior, hidden Unicode tricks, role override attempts, and other known attack structures. If the signal is strong enough, we flag it right there.
Stage 2: intent classification.
Some malicious skills do not trip a single obvious rule. They look statistically off instead. This stage scores the full feature set across textual and structural signals to detect skills with the fingerprint of malicious intent, without relying on a single pattern.
Stage 3: semantic analysis.
For the gray area, we run a semantic pass over the raw skill content. This helps catch more indirect attacks, including buried instructions, obfuscated intent, and language that is clearly steering the model toward behavior the installer would not expect.
What you can do with it
Scan a skill
Paste in a skill file or point Vigil at a GitHub URL. You get a verdict, a confidence score, attack-category breakdowns, and the exact heuristic rules that fired.
Browse the threat landscape
The dashboard shows what is actually showing up in public skill corpora: attack categories, clustering, and recent activity patterns.
Search the corpus
Every scan is searchable. You can look up a skill by SHA-256 hash or search for related patterns across the dataset.
Built for defenders
Vigil is a defensive tool.
We think the AI agent ecosystem needs something closer to a public checking layer for skill files: a place where developers, security teams, and platform builders can answer a basic question before execution: Do we trust these instructions?
Where this goes next
We are still early here.
We are expanding the ruleset, improving multilingual coverage, and hardening the classifier against more evasive patterns. Vigil is one piece of the broader security infrastructure we are building at Turen. But it is useful on its own, and that mattered to us. You should not need to buy into a full platform just to check whether a skill is trying to lie to your agent.
If skill files are going to become a normal part of how software gets built, they need normal security treatment too.
Go scan one.
Having problems with software at speed? Turen can help. Sign up for a 14-day trial at https://turen.io or view the live demo at https://try.turen.io
