Privacy Policy — Skillproof
Last updated: 3 June 2026
The free public scan needs no account. When you scan a skill, its text is sent to our backend, graded, and turned into a shareable report you can delete at any time. We keep a transient IP address for rate-limiting.
We never sell your data and never train any model on your skills. The optimizer (paid) sends your skill text to Anthropic's Claude API to rewrite it. The public registry grades publicly-available skills — public data about public code, no personal data.
To exercise any privacy right, or to delete a report, email hi@skillier.ai.
1. Who is responsible for your data
Skillproof is a project operated by Skillier — two individuals, Mattew Phillips and Vladimir Klepic, running this as a non-commercial project from France. We are the joint data controllers under the EU GDPR. There is no company or other legal entity behind Skillproof; it is part of the Skillier project.
Contact for privacy matters: hi@skillier.ai.
2. What Skillproof is
Skillproof is an independent, vendor-neutral grader for AI agent skills (SKILL.md files). It does three things: a free public scan (quality + safety grade), a paid optimizer that rewrites a skill, and a public registry of grades for publicly-available skills. The safety signal is heuristic, not an authoritative malicious verdict.
3. What we collect
3.1 Scans (free, no account)
When you scan a skill, our backend receives the skill content you paste, or the GitHub URL you submit (which we then fetch). We grade it and store a report so it can be shared and re-verified. A report contains: the grade, the findings, an excerpt of the skill, the engine used, and a timestamp. Each report gets a random id; the report page lives at /r/{id}.
We do not ask for, or attach, your name, email or account to a free scan. We do not store cookies for scanning (the API is header-only).
3.2 Optimizer (paid)
The optimizer requires an API key tied to a plan. To run it, your skill text is sent to Anthropic's Claude API (our model provider) to produce the rewrite, and we meter your usage against your plan's quota. If and when billing is enabled, payment is handled by Stripe; we never see or store your full card details.
3.3 Server logs & rate limiting
Like any web service, the backend keeps short-term operational logs: your IP address (to enforce per-IP rate limits and prevent abuse), the HTTP path and method, the response status, and a timestamp. IPs are processed in memory for rate limiting and appear in hosting-provider logs for up to 30 days. IPs are not stored alongside your reports.
3.4 The registry (public skills)
The registry publishes quality + safety grades for skills that are already public (open-source repositories and the curated Skillier skillbank). This is public information about public code — comparable to Snyk Advisor or Socket — and contains no personal data. We publish the grade, the public source reference, an excerpt, and the SKILL.md. If you are a skill author and want yours removed, see §9 and our Terms.
3.5 The website
The Skillproof website (served at proof.skillier.ai, canonical on skillier.ai) is static. We do not currently use third-party analytics, advertising, or tracking cookies. A small localStorage value remembers your language and (if you have one) your API key — it stays in your browser. If we add privacy-friendly analytics later, we'll update this policy before turning it on.
4. What we never do
- We never sell your data or share it with advertisers or data brokers.
- We never train any model on your skills.
- We never read the rest of your conversation with your AI, your files, clipboard, or screen — only the skill text you submit.
5. Legal bases (GDPR)
| Processing | Legal basis |
|---|---|
| Storing a scan report | Legitimate interest (Art. 6(1)(f)) — providing a re-verifiable, shareable grade. You can delete it. |
| Sending skill text to Anthropic for the optimizer | Performance of a contract (Art. 6(1)(b)) — you asked us to rewrite it. |
| IP for rate limiting & logs | Legitimate interest — security and availability. |
| Billing data (if enabled) | Performance of a contract + legal obligation (tax). |
| Responding to privacy requests | Legal obligation (Art. 6(1)(c)). |
6. Who we share data with (processors)
| Provider | What they see | Purpose |
|---|---|---|
| Fly.io (US, EU region Paris/CDG) | IP, HTTP requests, stored reports | Hosts the API + database. Privacy policy. |
| Anthropic (US) | Your skill text, during an optimize call | Model provider for the rewrite. Privacy policy. |
| Vercel (US) | Your IP, requests to the static site | Hosts the website + registry pages. |
| GitHub (US) | The public file you scan by URL / public skills we index | Source of public skills. Privacy statement. |
| Stripe (US), if billing is enabled | Your payment details | Payment processing. We never store full card data. |
All providers offer GDPR-compliant data-processing terms, which we rely on. We may disclose data if compelled by valid legal process; we will publish a transparency note here if we ever receive such a request.
7. Where your data is stored
Reports and operational data are stored on a Fly.io volume in the Paris (CDG) region, inside the EU. Fly.io and our model provider are US companies; for any cross-border situation we rely on their standard contractual clauses. If you'd rather not have your skill processed at all, simply don't scan it.
8. How long we keep your data
| Data | Retention |
|---|---|
| Scan reports | Kept until you delete them, or until we prune unaccessed reports. Deletion on request within 30 days. |
| Server access logs | Up to 30 days (hosting default). |
| Rate-limit counters | In memory only; cleared on each window or restart. |
| Billing records (if enabled) | As required by tax/accounting law. |
9. Your rights (GDPR + CCPA)
You have the rights to access, rectification, erasure, restriction, objection, and portability. To exercise any of them, or to delete a specific report, email hi@skillier.ai with the report id (the /r/{id} part of its URL) or the details of your request. We aim to respond within 30 days. We do not require ID verification because we hold no identifying data — the report id is the only key we have.
California (CCPA/CPRA): we do not sell or share personal information for cross-context behavioral advertising — there is nothing to opt out of. "Right to know" and deletion follow the same procedure above.
If you are a skill author and want a registry entry removed, see the takedown process in our Terms §5.
10. Children
Skillproof is not directed at children. Under our Terms §3, you must be at least 16 (or the age of digital consent in your jurisdiction, whichever is higher). If we learn we have collected data about someone below that age, we delete it.
11. Security
We use HTTPS-only access, encrypted volumes at rest, and limit admin access to the two named individuals. No system is perfectly secure, and Skillproof is a small project, not staffed for 24/7 security operations. We will investigate any reported vulnerability promptly and notify affected users within 72 hours of confirming a personal-data breach (GDPR Art. 33–34). Report security issues to hi@skillier.ai with "Security" in the subject.
12. Changes
We may update this policy; the "Last updated" date will reflect any change. Material changes (new data categories, new processors, changed legal bases) will be announced on the site at least seven (7) days before they take effect. We will not retroactively apply weaker protections to data already collected.
13. A note about skill contents
A report stores an excerpt of the skill you scanned. If you paste a private skill containing personal information, that text may be logged. The safer practice is to not put personal information into a skill you scan publicly.
14. Contact
For anything privacy-related — access, deletion, complaints, questions — email hi@skillier.ai. If you are not satisfied with our response, you may lodge a complaint with your national supervisory authority; in France, the CNIL.