What specific threats does the scanner look for?

It flags suspicious install hooks, obfuscated code, unauthorized network calls, and attempts to access sensitive data like SSH keys or environment variables.

Does it support both Python and JavaScript?

Yes, it provides dedicated support for scanning both Python (pip) and Node.js (npm) packages.

Can I use this automatically during my workflow?

Yes, the skill is designed to be auto-invoked whenever you attempt to run pip install or npm install commands within Claude Code.

How does Sigil protect my environment?

Sigil scans packages before they are installed, identifying malicious patterns like credential theft or network exfiltration and placing them in a quarantine for your review.

How are the findings presented?

The skill provides a risk score and a list of specific findings, allowing you to approve or reject the package based on the detailed security report.

Sigil Package Security Scanner

Name: Sigil Package Security Scanner
Author: NOMARJ

byNOMARJ

•

Seguridad y Pruebas

Protects development environments by auditing pip and npm packages for malicious patterns before installation.

The scan-package skill integrates the Sigil security auditor into Claude's workflow to prevent supply chain attacks. It automatically analyzes Python and Node.js packages for suspicious behaviors such as malicious install hooks, network exfiltration, credential harvesting, and code obfuscation. By enforcing a quarantine-first approach, it allows developers to review risk scores and specific security findings before any potentially harmful code is executed on their machine, ensuring dependency management remains secure and transparent.

Características Principales

01Identification of network exfiltration attempts and DNS tunneling signatures

02Automated pre-install security auditing for pip and npm packages

03Analysis of code obfuscation techniques like base64 and charCode mapping

041 GitHub stars

05Detection of malicious install hooks like setup.py cmdclass or npm postinstall

06Scans for credential theft targeting environment variables and SSH keys

Casos de Uso

01Vetting unfamiliar third-party libraries before adding them to a project

02Auditing package updates for newly introduced suspicious behaviors

03Securing the development environment against supply chain attacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add nomarj/sigil scan-package

For use in Claude.ai and ChatGPT

Download Skill