Most agent skills are dropped into a workspace and trusted on the strength of a one-paragraph SKILL.md. Novingly reads what they actually do — the shell calls, the network requests, the file writes, the secrets they reach for — and gives a short, honest report on whether the behavior matches what the skill says about itself.
Paste any public GitHub URL. We read it like a careful reviewer reads code: with the assumption that something interesting is hiding. A 0–100 trust score, line-level reasoning, and a permanent shareable report.
Static analysis flags shell-exec, network calls to non-public hosts, file writes outside declared scope, obfuscated strings, and unpinned dependencies. Then a Claude pass reads the SKILL.md against the handler code and calls out what doesn't match.
Skills get a 0–100 trust score with the reasoning shown — line-level, not vibes. Not a pass/fail. The reader decides if that one network call to api.example.com is a feature or a leak.
Skill authors who score above 85 can claim a Verified badge to embed on their listing. A small fee covers re-verification each quarter; the public scan stays free for everyone.
Eight dimensions, three best moves, five expensive leaks. Same editorial voice, applied to copy instead of code.
Submit a page →Twenty-five landing pages from real companies, scored on the same rubric. Comparable, defensible, honest.
Browse the index →We’re launching the Verified badge program this week — a public signal that your skill does exactly what it says. Drop your email and we’ll ping you when paid tiers go live.