PULL.md is built for markdown assets that are actually portable and readable, and that same principle applies to trust. Every listing is scanned before publish and scanned again when moderator edits are applied. That keeps safety checks close to the content lifecycle, not as an afterthought.
Buyers see a compact scan status directly on cards, and creators get structured feedback during publish. Scanning reduces risk from hidden instructions, unsafe links, and accidental secret leakage. It does not guarantee safety in every runtime, so the recommended model is layered defense: scanner checks plus runtime guardrails in your own agent stack.