Does this skill execute any code during the audit?

No, the skill performs a strictly read-only static analysis. It is designed to never execute, follow, or evaluate instructions found in the audited files.

What kind of risks does the auditor detect?

It scans for unauthorized tool usage (like Bash or Write), credential leaks, prompt injections, unsafe shell hooks, and privilege escalation patterns.

How do I trigger an audit for a specific skill?

You can use natural language commands like 'audit a skill' or 'check skill security' followed by the local path or GitHub URL of the skill.

Can I audit skills directly from a GitHub repository?

Yes, you can provide a GitHub URL to a skill, command, or plugin root. The auditor will fetch the content using WebFetch and analyze it remotely.

Is my sensitive information safe during an audit?

Yes, the auditor includes an automated evidence redaction protocol that masks secrets, API keys, and tokens found in the audited files before displaying them.

Skill Security Auditor

Name: Skill Security Auditor
Author: anysiteio

byanysiteio

•

安全与测试

Performs automated, read-only static security audits of Claude Code skills and plugins to identify potential risks and vulnerabilities.

The Skill Security Auditor acts as a dedicated security analyst for your Claude Code environment, providing a robust framework for verifying the safety of local and remote skills. It performs multi-phase static analysis of SKILL.md files, supporting scripts, and plugin hooks to detect dangerous patterns such as unauthorized tool usage, credential leaks, and prompt injection attempts. By automating the discovery and classification of security risks, this skill allows users to safely evaluate community-contributed plugins or third-party code from GitHub before integration into their development workflow.

主要功能

01Strictly read-only operation with built-in anti-injection protocols to prevent malicious execution.

02Supports remote auditing of GitHub repositories and specific skill URLs.

0312 GitHub stars

04Identifies dangerous tool references, hook vulnerabilities, and privilege escalation attempts.

05Performs deep static analysis of SKILL.md frontmatter, body, and supporting scripts.

06Automatically redacts sensitive information like API keys and tokens from audit findings.

使用场景

01Scanning shared commands for potential prompt injection or credential exfiltration risks.

02Verifying the safety of a third-party Claude Code plugin from GitHub before installation.

03Auditing local skill directories to ensure compliance with security best practices.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add anysiteio/agent-skills skill-audit

For use in Claude.ai and ChatGPT

Download Skill