Lazaretto · blog

How to verify a skill or package before your AI agent installs it

2026-07-14

AI agents increasingly install third-party skills, MCP servers, and npm packages without a human reviewing each one. That is a software supply chain, and it is actively targeted: public audits have found hundreds of malicious skills across registries — infostealers that harvest SSH keys, cloud credentials, browser profiles, and crypto wallets, often hidden behind fake “prerequisites” and curl | bash chains.

The check that belongs before install

The missing step is a verification an agent can call on its own, right when it needs it. Two levels:

1. Free — is this content hash already known-bad?

curl -s https://lazaretto.dev/v1/known-bad/<sha256>

Exact-hash match against an indicator store refreshed daily from public threat feeds. A match is a hard stop. A non-match is not a verdict — it only means that exact hash is not on a known-bad list.

2. Full scan — deterministic behavioral analysis

curl -s -X POST https://lazaretto.dev/v1/scan \
  -H 'content-type: application/json' \
  -d '{"target":{"type":"npm_package","ref":"some-pkg@1.0.0"},"depth":"full"}'

The scanner fetches the artifact in a sandbox — it never runs it — and screens for credential access, exfiltration, obfuscation, prompt-injection payloads aimed at the reading agent, install-lifecycle droppers, and bundled secrets. There is no model in the serving path, so the result is deterministic and reproducible, and every finding carries the file, line, and sanitized snippet that triggered it.

Bind the verdict to the bytes

A verdict is only meaningful against the exact artifact it was computed on. Every report is bound to a content hash, so after an install you can re-hash what actually landed on disk and confirm it matches what was scanned. If it differs, treat it as unscanned.

Signals, not a warranty

A report describes what was detected and what is known; the decision to install remains yours. The malicious verdict is reserved for indicator-backed matches; behavioral heuristics reach flagged, always with evidence. See the public rule catalog and the OpenAPI contract.


Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.