Sigil is a free, open-source CLI that quarantines and scans every repo, package, and MCP server before it executes. It runs 8-phase static analysis in under 3 seconds — fully offline, no account required. Built by NOMARK and licensed under Apache 2.0.

What is AI supply chain security?

AI supply chain security protects developers and organizations from malicious code hidden in AI agent dependencies — npm packages, PyPI libraries, MCP servers, and GitHub repos. Threats include install hooks that execute before review, credential theft, data exfiltration, and prompt injection attacks.

How does Sigil scan packages for malware?

Sigil runs 8 weighted scan phases: install hook detection (critical, 10x weight), dangerous code patterns (5x), network exfiltration (3x), credential access (2x), obfuscation detection (5x), provenance analysis (1-3x), prompt injection detection (10x), and AI skill security (5x). Each finding is weighted and summed into a risk score from 0 (clean) to 50+ (critical).

Is Sigil free to use?

Yes. The Sigil CLI is free and open source under Apache 2.0. All 8 scan phases run locally with zero network calls. Pro ($29/month) adds cloud threat intelligence and a web dashboard. Team ($99/month) adds team management for up to 25 users and CI/CD integration.

Does Sigil work offline?

Yes. All 8 scan phases run entirely on your local machine with zero network calls. Sigil never sends your code or scan results to external servers. This makes it suitable for air-gapped environments and organizations with strict data sovereignty requirements.

What are MCP server security risks?

MCP (Model Context Protocol) servers can access credentials, execute arbitrary code, exfiltrate data, and inject malicious prompts into AI agent workflows. Sigil's Phase 8 (Skill Security) specifically scans MCP servers for tool abuse, skill.yaml tampering, and unauthorized capability escalation.

You just gave
a stranger your
API keys.

Name: Sigil
Author: NOMARK

AI Supply Chain Security Scanner

Every repo you clone gets direct access to your credentials. Install hooks execute before you can review a single line.

Sigil quarantines before install. 8-phase analysis catches install hooks, obfuscation, credential theft.

Scans in <3s•Fully Offline•No Account Required

Install CLIcurl -sSL https://sigilsec.ai/install.sh | sh

View on GitHub →|by NOMARK

sigil — zsh

The Problem

Install hooks execute before security scans.

npm postinstall, setup.py cmdclass, and Makefile targets run during package install—before any security tool can scan them. CVE scanners miss behavior-based threats: credential harvesting, data exfiltration, obfuscated payloads.

Untrusted packages

npm, PyPI, and GitHub repos ship with hidden install hooks that execute before you review a single line of code.

postinstall: node malware.js

Invisible install hooks

setup.py cmdclass, npm postinstall scripts, and Makefile targets run silently during dependency install — before you can review anything.

setup.py:cmdclass → execute()

Blind spots in existing tools

CVE scanners miss behavior-based threats: data exfiltration, credential harvesting, and obfuscated payloads that exploit your environment.

eval(base64.b64decode(payload))

SECURITY ALERT

92% of CRITICAL AI packages contain malicious install hooks

Our latest threat intelligence reveals 65,578 packages executing code during installation. Check if your dependencies are affected.

Source: Sigil Threat Intelligence — based on 224,299 packages scanned across npm, PyPI, and GitHub registries.

View Threat Intelligence Check Your Packages

224,299

Packages Scanned

86,447

Threats Found

27%

Credential Theft

52%

Obfuscated Code

How It Works

Intercept. Scan. Decide.

Intercept before execution

Replace git clone with sigil clone. Code downloads to quarantine. Nothing executes.

$ sigil clone <repo-url>

8-phase analysis

Install hooks, obfuscation, network exfiltration, credential access, prompt injection. Runs in parallel. <3 seconds.

< 3 seconds for most packages

Clear verdict

LOW RISK opens automatically. MEDIUM/HIGH/CRITICAL waits for review. Full breakdown of what was found and why.

● LOW RISK● MEDIUM● CRITICAL

$ sigil clone https://github.com/example/mcp-server
  Quarantining... ✓
  Running 8-phase analysis...

  Verdict: HIGH RISK  ●  3 issues found

  [!] Install hook detected in setup.py
  [!] Outbound HTTP to external endpoint
  [!] Base64-encoded payload in utils.py

  Blocked. Review the full report: sigil report

Eight Phases

8 phases. Weighted by severity.

Findings are weighted—install hooks score higher than missing docs. Final verdict reflects actual risk.

CRITICAL · 10×

Install Hooks

Detects cmdclass overrides in setup.py, npm postinstall scripts, Makefile targets, and pip entry points that execute before you review any code.

setup.py:cmdclass

HIGH · 5×

Code Patterns

Flags dangerous function calls: eval(), exec(), pickle.loads(), subprocess with user input, and child_process.exec() across Python, JavaScript, and TypeScript.

eval(base64.b64decode(...))

HIGH · 3×

Network & Exfil

Identifies outbound HTTP requests, webhook calls, raw socket connections, and DNS tunnelling patterns that could exfiltrate data from your environment.

requests.post(url, data=env_vars)

MEDIUM · 2×

Credentials

Scans for ENV variable access, hardcoded API keys, ~/.aws, ~/.kube, SSH key patterns, and credential file reads that should not appear in third-party code.

os.environ.get("AWS_SECRET")

HIGH · 5×

Obfuscation

Detects base64-encoded payloads, charCode arrays, hex-encoded strings, and minified code blobs designed to hide malicious behavior from human review.

exec(base64.b64decode('aW1wb3J0...'))

LOW · 1–3×

Provenance

Reviews Git history depth, author count, commit cadence, binary files, hidden directories, and package metadata for signs of supply chain compromise.

git log --oneline | wc -l → 1

07NEW

CRITICAL · 10×

Prompt Injection

Detects jailbreak attempts, markdown-based remote code execution, and social engineering patterns that could compromise AI agent workflows.

ignore_previous_instructions()

08NEW

HIGH · 5×

Skill Security

Scans for AI skill malware, skill.yaml tampering, and tool abuse patterns designed to exploit AI agent trust relationships.

skill.yaml:exec_command: rm -rf /

Sigil complements — not replaces — CVE scanners like Snyk and Dependabot. Run both.

New in v1.0

AI-specific threat detection.

Traditional security scanners focus on code vulnerabilities. Sigil adds specialized detection for AI-specific attack vectors like prompt injection, skill marketplace malware, and LLM manipulation.

AI-Specific

Scan AI Skills & MCP Servers

Specialized detection for malicious AI skills including prompt injection, credential exfiltration, and social engineering. Built to complement traditional security tools with AI-specific threat analysis.

50+ prompt injection patterns
Publisher reputation analysis
Hash-based threat intelligence
Community voting on threats

See Detection Patterns →

Case Study

OpenClaw Campaign Analysis

In February 2026, 314 malicious AI skills were published using advanced evasion techniques. Learn how specialized detection patterns can identify AI-specific threats.

314 malicious skills analyzed
5 new detection patterns created
Advanced evasion techniques documented

Read the Case Study →

Threat Intel

55 Signatures, 4,700+ Known Threats

Community-driven threat intelligence database with hash-based lookups, campaign tracking, and coverage across real-world malware families.

Install hooks & code execution
Network exfiltration & credentials
Obfuscation & evasion techniques
Supply chain attacks

Browse Signatures →

Pro — $29/month

AI investigates what you don't understand.

Scans find threats. Pro explains if they're real, why they matter, and how to fix them. Ask questions. Verify false positives. Generate remediation code.

Deep-Dive Investigation

Click "Investigate" on any finding to get AI-powered analysis. Choose quick, thorough, or exhaustive depth. Get confidence scores and evidence.

False Positive Verification

AI analyzes context—surrounding code, data flow, inputs—to explain why something is safe or dangerous in your specific environment.

Automated Remediation

Generate secure code fixes with explanations and unit tests. Multiple fix options when applicable. Copy-paste ready.

Contextual Chat

Ask follow-up questions about scan results. AI maintains context across the conversation. Get suggested next questions.

Attack Chain Tracing

Visualize end-to-end exploitation paths. See entry points, execution flow, impact assessment, and mitigation points along the chain.

Bulk Investigation

Group similar findings and investigate them together. Pattern recognition identifies common root causes. Single fix for multiple issues.

Investigation, not just detection

Static scans tell you what's dangerous. Pro tells you why it's dangerous in your specific context and generates working fixes.

30% of scans go interactive
50% fewer false positives after investigation
Average 5 questions per session
Response time <3s for most queries

Try Pro — 30 Days Free

$ sigil scan --pro malicious-mcp/
  Running enhanced analysis...

  ⚠ CRITICAL RISK — 3 issues found

  [1] Install hook in setup.py
      Executes on pip install

  [2] Outbound HTTP to pastebin.com
      Exfiltrates environment variables

  [3] Base64 payload in utils.py
      Decodes to credential theft code

  💬 Ask me anything about these findings:
     • How could this be exploited?
     • Show me the attack chain
     • Generate a fix for issue #2

Integrations

Works where you work.

Sigil fits into your existing workflow. Use it from the terminal, your editor, or your CI pipeline.

Terminal / CLI

Native command

{}

VS Code

Editor extension

JetBrains

IDE plugin

Claude Code

MCP integration

▶

GitHub Actions

CI/CD pipeline

◆

GitLab CI

Pipeline stage

⊂⊃

Git Hooks

pre-clone hook

⬡

Docker

Container builds

More integrations in the docs →

Comparison

Before install. Not after.

Snyk scans after install. Sigil intercepts before execution.

Tool	When It Acts	Install Hooks	Quarantine	Prompt Injection	Offline	Setup
Sigil	Before install	✓	✓	✓	✓	curl \| sh
Snyk agent-scan	After install	—	—	✓	—	4 steps + account
Socket	After install	Partial	—	—	—	Account required
Semgrep	After install	—	—	—	✓	Account required

Partial = Limited coverage or requires configuration

Different workflows, not competing features.

Real-World Security

Threat research & case studies.

Real-world examples of AI-specific threats and how specialized scanning can help identify them before they cause harm.

FEATUREDFebruary 2026

The OpenClaw Campaign

In February 2026, 314 malicious AI skills were published using advanced evasion techniques including prompt injection, password-protected archives, and social engineering. This case study examines the attack patterns and how specialized AI security scanning can identify these threats.

Attack Vector

AI skill marketplace

Scope

314 malicious skills

Techniques

Prompt injection, password-protected payloads, markdown-based RCE

Read Full Analysis →

September 2024

Shai-Hulud npm Worm

A self-propagating worm targeting the npm ecosystem through malicious install hooks, affecting packages with billions of weekly downloads.

npm package ecosystem

Learn More →

October 2024

MUT-8694 Cross-Ecosystem Attack

The first coordinated attack spanning both npm and PyPI ecosystems simultaneously, using provenance metadata abuse to deliver malicious binaries.

npm + PyPI simultaneous attack

Learn More →

See All Threat Research →

Pricing

Free scanner. Paid investigation and automation.

CLI scans before install. Pro adds AI investigation. Elite adds automation. Team adds multi-seat.

Open Source

free forever

Download CLI

Full CLI (8 scan phases)
Install hook detection
Obfuscation analysis
Threat intelligence sync
Local-only — no account
Apache 2.0 license

RECOMMENDED

Pro

$29/month

30-day free trial • then $29/mo

Start Free Trial

Everything in Open Source
AI-powered threat detection
Interactive investigation
False positive verification
Automated remediation code
Web dashboard (90 days)
5,000 credits/month

Elite

$79/month

automation + compliance

Start Free Trial

Everything in Pro
Scheduled scans + alerting
GitHub Actions integration
Scan history + trending
Compliance reports (PDF)
Slack notifications
15,000 credits/month

Team

$199/month

up to 25 seats

Contact Sales →

Everything in Elite
Up to 25 seats
Centralized billing
Team audit trails
SSO integration
Policy enforcement
Dedicated support

Need more than 25 seats or air-gapped deployment? Contact us →

Developer Experience

Security that doesn't slow you down.

Most security tools add friction. Sigil is designed to stay out of your way — fast scans, clear output, zero config.

< 3 second scans
Six phases run in parallel. Typical packages scan in under 3 seconds.
Shell aliases
Add alias gc='sigil clone' and never think about it again.
Zero config
Works out of the box. No YAML, no account, no setup wizard.
Fully offline
No code is ever uploaded. All scanning runs locally.
Clear verdicts
LOW RISK / MEDIUM RISK / HIGH RISK / CRITICAL RISK with specific issue callouts.

# ~/.zshrc or ~/.bashrc
alias gc='sigil clone'

$ gc https://github.com/anthropics/anthropic-sdk-python
  Quarantining... ✓
  Running 8-phase analysis...

  [1/8] Install Hooks ........ ✓
  [2/8] Code Patterns ........ ✓
  [3/8] Network / Exfil ...... ✓
  [4/8] Credentials .......... ✓
  [5/8] Obfuscation .......... ✓
  [6/8] Provenance ........... ✓
  [7/8] Prompt Injection ..... ✓
  [8/8] AI Skill Security .... ✓

  ✓ LOW RISK  —  Completed in 2.8s
  Cloned to ./anthropic-sdk-python

From the Blog

From the Sigil blog

Read all posts →

reviews

ShiftLeft vs Checkmarx vs Snyk for Agent Code Security 2026

ShiftLeft, Checkmarx, and Snyk focus on code and dependency vulnerabilities after components are in your environment. For AI agent code security, you need SAST and SCA coverage plus a pre-install, behavior-based layer. Sigil fills that gap as a complementary guardrail.

Mar 25, 2026

tools

Top Tools to Prevent Data Exfiltration 2026

The most effective way to prevent data exfiltration from dependencies is a two-layer defense: pre-execution behavior scanning with tools like Sigil, combined with traditional SCA for known vulnerabilities.

Mar 24, 2026

security

Securing AI Code Dependencies in 2026

This guide explains how to secure AI code dependencies, plugins, and MCP servers in 2026. Learn a layered security model combining SBOM, SCA, and pre-execution scanning to prevent supply chain attacks before code executes.

Mar 23, 2026

Get Started

Install. Scan. Decide.

First verdict in 30 seconds.

curl -sSL https://sigilsec.ai/install.sh | sh

Read the docs →View on GitHub →Join the community

Apache 2.0. Runs offline. No account required.

You just gavea stranger yourAPI keys.

Install hooks execute before security scans.

Untrusted packages

Invisible install hooks

Blind spots in existing tools

92% of CRITICAL AI packages contain malicious install hooks

Intercept. Scan. Decide.

Intercept before execution

8-phase analysis

Clear verdict

8 phases. Weighted by severity.

Install Hooks

Code Patterns

Network & Exfil

Credentials

Obfuscation

Provenance

Prompt Injection

Skill Security

AI-specific threat detection.

Scan AI Skills & MCP Servers

OpenClaw Campaign Analysis

55 Signatures, 4,700+ Known Threats

AI investigates what you don't understand.

Deep-Dive Investigation

False Positive Verification

Automated Remediation

Contextual Chat

Attack Chain Tracing

Bulk Investigation

Investigation, not just detection

Works where you work.

Before install. Not after.

Threat research & case studies.

The OpenClaw Campaign

Shai-Hulud npm Worm

MUT-8694 Cross-Ecosystem Attack

Free scanner. Paid investigation and automation.

Free, open, and auditable.

Your code stays on your machine.

Security that doesn't slow you down.

From the Sigil blog

ShiftLeft vs Checkmarx vs Snyk for Agent Code Security 2026

Top Tools to Prevent Data Exfiltration 2026

Securing AI Code Dependencies in 2026

Install. Scan. Decide.

92% of CRITICAL AI packages contain malicious install hooks

From the Sigil blog

ShiftLeft vs Checkmarx vs Snyk for Agent Code Security 2026

Top Tools to Prevent Data Exfiltration 2026

Securing AI Code Dependencies in 2026

You just gave
a stranger your
API keys.