Why is recursive scanning important for security?

Many malicious skills hide harmful code in secondary shell scripts or setup files rather than the main definition file; recursive scanning ensures these hidden threats are identified.

Does this skill execute the code it analyzes?

No, the skill treats all repository content as static data and operates under strict guardrails to prevent accidental execution during the auditing process.

What happens if a file is too large to scan?

For performance and safety, the skill reads the headers or first 50 lines of very large or binary files and flags them for manual review rather than skipping them entirely.

Do I need any external tools to use this?

Yes, you must have the GitHub CLI (gh) installed and authenticated on your system for the skill to fetch repository metadata and file contents.

Skill Security Auditor

Name: Skill Security Auditor
Author: f4ah6o

byf4ah6o

0•

セキュリティとテスト

Analyzes GitHub repositories for malicious code and security risks before you install or execute new Agent Skills.

Skill Security Auditor acts as a vital security guardrail for Claude Code users, performing deep recursive scans of GitHub repositories to identify hidden threats. Unlike basic scanners, it traces execution paths into referenced scripts, shell files, and configuration entry points to detect destructive commands, data exfiltration patterns, and prompt injection attempts. This skill is indispensable for developers who want to safely explore third-party tools and custom skills without compromising their local system or exposing sensitive credentials like SSH keys or environment variables.

主な機能

01Detection of destructive commands and unauthorized system file writes

02Recursive analysis of referenced shell, Python, and Node scripts

030 GitHub stars

04Structured security reports with risk level assessments from Safe to Malicious

05Identification of prompt injection and AI-specific security bypasses

06Scanning for secret exfiltration and suspicious network requests

ユースケース

01Auditing open-source scripts for hidden backdoors and malicious one-liners

02Verifying a third-party Agent Skill's safety before local installation

03Ensuring new Model Context Protocol servers don't access sensitive cloud credentials

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add f4ah6o/skills-bonsai skill-check-skill

For use in Claude.ai and ChatGPT

Download Skill