skill-safety-audit

star 4

Audit third-party Agent Skills before installation. Use when the user wants to inspect a Codex, Claude Code, or SKILL.md-based skill, GitHub skill repository, install script, or local skill folder for malicious instructions, secret access, dangerous shell commands, prompt injection, persistence, network exfiltration, or install-time risk.

AI272 By AI272 schedule Updated 6/1/2026
play_arrow Run Skill in Manus View GitHub

name: skill-safety-audit description: "Audit third-party Agent Skills before installation. Use when the user wants to inspect a Codex, Claude Code, or SKILL.md-based skill, GitHub skill repository, install script, or local skill folder for malicious instructions, secret access, dangerous shell commands, prompt injection, persistence, network exfiltration, or install-time risk."

Skill Safety Audit

Use this skill to audit Agent Skills before installation. It is conservative by default: a REVIEW verdict is acceptable when behavior may be legitimate but needs human inspection. Version 1.1.0 adds Python AST checks, entropy/obfuscation heuristics, dependency risk checks, allowlists, reproducible report metadata, CI exit codes, and Claude Code hook/MCP scanning.

Workflow

  1. Identify the target: local skill folder, single SKILL.md, GitHub repo URL, or GitHub /tree/<ref>/<path> URL.
  2. Do not run any code from the target. Do not execute install scripts, package scripts, hooks, or copied commands.
  3. Run the static auditor:
python scripts/audit_skill.py <target> --format markdown

Useful v1.1 options:

python scripts/audit_skill.py <target> --ref <commit-sha>
python scripts/audit_skill.py <target> --rules ./custom-rules.json
python scripts/audit_skill.py <target> --since v1.0.0
python scripts/audit_skill.py <target> --ignore-file .skillaudit-ignore
  1. Read SKILL_SECURITY_REPORT.md and skill_security_report.json.
  2. Report the verdict first: SAFE, REVIEW, or DANGEROUS, followed by the risk score, exit code, reproducibility metadata, top findings, capability mismatch table, and install recommendation.

Verdict Policy

  • SAFE: no high or critical findings and low score.
  • REVIEW: suspicious behavior exists, but the evidence is not enough to reject the skill automatically.
  • DANGEROUS: critical behavior appears, such as secret access, dangerous shell execution, persistence, or code paths that can exfiltrate data.

CLI exit codes are SAFE=0, REVIEW=1, DANGEROUS=2, and runtime/input error 3.

Never tell the user a skill is safe if the report says REVIEW or DANGEROUS. If the user asks whether to install it, recommend installation only for SAFE; for REVIEW, recommend reading the cited files first; for DANGEROUS, recommend not installing.

Notes

  • GitHub URL support downloads source only. The auditor must not execute third-party code.
  • The scanner is static and conservative. It can produce false positives.
  • expected-capabilities and .skillaudit-ignore can suppress low/medium expected findings, but suppressed findings remain visible in the report.
  • For a final security decision, combine this report with manual review of the cited files.
Install via CLI
npx skills add https://github.com/AI272/skill-safety-audit --skill skill-safety-audit
Repository Details
star Stars 4
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
AI272
AI272 Explore all skills →