What should I do if a skill receives a FAIL verdict?

A FAIL verdict indicates critical findings like command injection or data exfiltration. You should not install the skill. Review the specific findings in the report and apply the suggested remediation guidance before reconsidering.

What types of files does the Skill Security Auditor scan?

The auditor scans Python, Bash, JavaScript, and TypeScript scripts for code execution risks, as well as SKILL.md and other Markdown files for prompt injection and role hijacking patterns.

Can this skill detect all types of malicious code?

It performs advanced static analysis to find known dangerous patterns and obfuscation. However, it does not execute code (dynamic analysis), so it may not detect complex time-delayed logic bombs.

Is it safe to use on skills hosted on GitHub?

Yes, you can audit skills directly from a Git URL. The auditor can clone the repository to a temporary directory to verify its safety before you commit to a local installation.

Skill Security Auditor

Name: Skill Security Auditor
Author: micsapp

bymicsapp

0•

安全与测试

Audits and scans AI agent skills for security vulnerabilities, malicious code, and prompt injection risks before installation.

Skill Security Auditor is a specialized safety tool designed to protect your development environment by performing deep static analysis on AI agent skills before they are integrated into your workflow. It scans for critical risks such as command injection, data exfiltration, and prompt injection in documentation files, while also identifying dependency supply chain threats and unauthorized file system access. By providing a clear pass, warn, or fail verdict with actionable remediation guidance, it serves as an essential security gate for developers using Claude Code, OpenClaw, or Codex plugins to ensure every installed capability is safe and compliant.

主要功能

01Analyzes dependency supply chains for typosquatting and known vulnerabilities

02Identifies prompt injection and role hijacking patterns in SKILL.md files

03Scans for network exfiltration and credential harvesting attempts

04Enforces file system boundaries to prevent unauthorized directory access

05Detects code execution risks like eval(), os.system(), and obfuscated payloads

060 GitHub stars

使用场景

01Implementing a pre-install security gate within automated CI/CD pipelines

02Evaluating AI agent skills from untrusted third-party repositories

03Auditing local Python and Bash scripts for dangerous patterns and hidden payloads

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills skill-security-auditor

For use in Claude.ai and ChatGPT

主要功能

01Analyzes dependency supply chains for typosquatting and known vulnerabilities

02Identifies prompt injection and role hijacking patterns in SKILL.md files

03Scans for network exfiltration and credential harvesting attempts

04Enforces file system boundaries to prevent unauthorized directory access

05Detects code execution risks like eval(), os.system(), and obfuscated payloads

060 GitHub stars

使用场景

01Implementing a pre-install security gate within automated CI/CD pipelines

02Evaluating AI agent skills from untrusted third-party repositories

03Auditing local Python and Bash scripts for dangerous patterns and hidden payloads