Does this skill execute the code it audits?

No, it performs static analysis to safely inspect files for dangerous patterns without executing potentially malicious code in your environment.

Can it audit skills directly from a URL?

Yes, it can audit skills from Git repository URLs by cloning them to a temporary directory for scanning before you commit to installation.

What constitutes a FAIL verdict in the audit report?

A FAIL verdict is triggered by critical risks such as hardcoded network exfiltration, command injection, or unauthorized filesystem access outside the skill directory.

Can I use this in my GitHub Actions or CI/CD?

Absolutely. The auditor supports JSON output and standardized exit codes, making it easy to integrate into automated security pipelines.

AI Skill Security Auditor

Name: AI Skill Security Auditor
Author: zhangzhang-111-i

byzhangzhang-111-i

0•

Security & Testing

Audits AI agent skills and Claude Code plugins for security vulnerabilities, malicious code, and prompt injection before installation.

The Security Auditor skill provides a comprehensive security gate for AI agent workflows by scanning local or remote skill directories for critical risks. It automatically detects dangerous code patterns like command injection and obfuscated payloads, identifies prompt injection attempts in documentation, and flags supply chain vulnerabilities in dependencies. By producing clear PASS/WARN/FAIL verdicts with remediation guidance, it ensures that developers can safely extend Claude's capabilities without compromising their local environment, private credentials, or sensitive data.

Key Features

01Filesystem boundary violation and unauthorized data access checks

020 GitHub stars

03Prompt injection detection in SKILL.md and reference documentation

04Dependency supply chain risk assessment and package typosquatting detection

05Static analysis for command injection and unsafe code execution like eval and exec

06Automated security reporting with actionable remediation steps for every finding

Use Cases

01Evaluating third-party skills from untrusted GitHub repositories before installation

02Integrating automated security gates into CI/CD pipelines for AI skill development

03Auditing existing skill directories for hidden network exfiltration or credential harvesting

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add zhangzhang-111-i/claude-skills111 skill-security-auditor

For use in Claude.ai and ChatGPT

Key Features

01Filesystem boundary violation and unauthorized data access checks

020 GitHub stars

03Prompt injection detection in SKILL.md and reference documentation

04Dependency supply chain risk assessment and package typosquatting detection

05Static analysis for command injection and unsafe code execution like eval and exec

06Automated security reporting with actionable remediation steps for every finding

Use Cases

01Evaluating third-party skills from untrusted GitHub repositories before installation

02Integrating automated security gates into CI/CD pipelines for AI skill development

03Auditing existing skill directories for hidden network exfiltration or credential harvesting

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add zhangzhang-111-i/claude-skills111 skill-security-auditor

For use in Claude.ai and ChatGPT