What is the Package Security Scanner skill?

It is a Claude Code capability that utilizes the Sigil CLI to perform automated security audits on Python (pip) and Node.js (npm) packages before they are installed.

How does the quarantine workflow help developers?

The quarantine workflow ensures that suspicious packages are flagged and blocked from installation until a human developer reviews the findings and provides explicit approval.

Is the scan performed automatically?

Yes, the skill is configured to be auto-invoked whenever a pip install or npm install command is initiated, ensuring consistent security coverage.

Does this skill work with all package managers?

Currently, the skill is optimized for the pip (Python) and npm (Node.js) ecosystems, which are the primary targets for most modern supply chain attacks.

What specific threats does this skill look for?

It flags critical security risks such as malicious install hooks (setup.py or postinstall), code obfuscation, unauthorized network exfiltration, and attempts to access environment variables or SSH keys.

Package Security Scanner

Name: Package Security Scanner
Author: NOMARJ

byNOMARJ

•

보안 및 테스팅

Audits Python and Node packages for malicious patterns and security vulnerabilities before they are installed in your environment.

The Package Security Scanner skill integrates the Sigil security auditing tool directly into Claude Code, providing a robust quarantine-first workflow for managing dependencies. It automatically identifies high-risk behavior in npm and pip packages—such as hidden install hooks, network exfiltration attempts, credential theft, and obfuscated code—before they can execute on your local machine. This skill is essential for developers who want to prevent supply chain attacks and maintain a secure development environment when adding or updating third-party libraries.

주요 기능

01Risk-based scoring to guide package approval or rejection

02Detection of malicious install hooks and obfuscated code patterns

03Quarantine-first workflow to review findings before execution

04Automated pre-installation scanning for npm and pip packages

05Identification of network exfiltration and credential access attempts

061 GitHub stars

사용 사례

01Investigating suspicious behavior in existing dependencies during version updates

02Auditing a new third-party library before adding it to a production repository

03Securing local development environments against software supply chain attacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add nomarj/sigil scan-package

For use in Claude.ai and ChatGPT

Download Skill