security· Part of Qualixar

SkillFortify

Formal Verification for Every Agent Framework

22 frameworks. One command. SkillFortify auto-discovers every AI tool on your system and formally verifies that agent skills cannot exceed their declared capabilities — with mathematical soundness guarantees and zero false positives.

The Problem

The Supply Chain Is Under Attack

ClawHavoc planted 1,200 malicious skills into the largest AI agent marketplace. CVE-2026-25253 was the first RCE in agent software. The industry responded with heuristic scanners — pattern matching, YARA rules, LLM-as-judge. They all share the same limitation: one popular scanner states in its docs, "No findings does not mean no risk." SkillFortify eliminates that caveat with formal verification backed by five mathematical theorems.

6,000+

malicious agent tools catalogued across registries

How It Works

Key Capabilities

22 Framework Support + Auto-Discovery

Scans Claude Code, Cursor, VS Code, Windsurf, Gemini, n8n, and 16 more frameworks automatically. Discovers AI tools you didn’t even know were installed across 23+ IDE profiles.

Formal Verification, Not Heuristics

Five mathematical theorems guarantee soundness. If SkillFortify says a skill is safe, it provably cannot exceed its declared capabilities. Zero false positives across 540-skill benchmarks.

9-Command Security Toolkit

Scan, Verify, Lock, Trust, SBOM, Frameworks, Dashboard, Registry-Scan, and batch verification. Complete supply chain security from a single CLI tool.

HTML Security Dashboard

Generate a standalone interactive report with risk distribution, capabilities matrix, and per-skill drill-down. Share one HTML file with your security team — no install required.

Enterprise Compliance Ready

CycloneDX 1.6 ASBOM output, lockfile semantics for reproducible configurations, graduated trust levels (L0–L3), and registry scanning for MCP, PyPI, and npm marketplaces.

Evidence

1,818

Tests Passing

Frameworks Supported

96.95%

F1 Score

False Positive Rate

540

Skills Benchmarked

~2.5ms

Per-Skill Verification

Read the Paper →View on Zenodo →

Get Started

$ pip install skillfortify && skillfortify scan

Website Read the Paper GitHub PyPI

From the Qualixar Suite

SuperLocalMemory

Information-Geometric Memory for AI Agents

Local-first AI agent memory with mathematical foundations. 74.8% on LoCoMo without cloud dependency — highest local-first score reported. Fisher-Rao retrieval, sheaf cohomology, Langevin lifecycle. EU AI Act compliant.

AgentAssert

Design-by-Contract for AI Agents

Formal specification and runtime enforcement of behavioral contracts for autonomous AI agents. Prevents drift, ensures compliance, enables composition.

AgentAssay

Regression Testing for Non-Deterministic AI Agents

Token-efficient stochastic behavioral testing framework purpose-built for non-deterministic AI agent workflows.