skill-auditor

Original🇺🇸 English
Translated
1 scripts

Analyze agent skills for security risks, malicious patterns, and potential dangers before installation. Use when asked to "audit a skill", "check if a skill is safe", "analyze skill security", "review skill risk", "should I install this skill", "is this skill safe", or when evaluating any skill directory for trust and safety. Also triggers when the user pastes a skill install command like "npx skills add https://github.com/org/repo --skill name". Produces a comprehensive security report with a clear install/reject verdict.

3installs
Sourcemontimage/skills
Added on

NPX Install

npx skill4agent add montimage/skills skill-auditor

Tags

Translated version includes tags in frontmatter
skill-auditingagent-securityrisk-assessmentsecurity-reportingskill-installation

SKILL.md Content

View Translation Comparison →

Skill Auditor

Analyze agent skill directories for security risks and provide an install/reject verdict.

Workflow

Auditing a skill follows these phases:
  1. Resolve input - Parse the user's input to locate the skill
  2. Research - Scan and understand what the skill does
  3. Report - Produce a detailed findings report
  4. Verdict - Deliver a clear install/reject recommendation

Phase 0: Resolve Input

The user may provide the skill target in several formats. Parse the input and resolve it to a local directory before proceeding.

Format 1: Local path

audit skills/my-skill/
audit /path/to/skill-dir
Use the path directly.

Format 2: GitHub URL

audit https://github.com/org/repo
Clone the repo to 
/tmp/<repo-name>
, audit the root as the skill directory. Clean up after.

Format 3: Install command (npx skills add)

npx skills add https://github.com/org/repo --skill skill-name
npx skills add https://github.com/org/repo
Extract the GitHub URL and optional 
--skill
name:
  1. Parse the URL from the command (the 
    https://github.com/...
    part)
  2. Clone the repo to 
    /tmp/<repo-name>
  3. If 
    --skill <name>
    is present, the audit target is the subdirectory 
    skills/<name>/
    within the cloned repo. If that path doesn't exist, try 
    <name>/
    at the repo root.
  4. If no 
    --skill
    flag, audit the repo root as a single skill (look for 
    SKILL.md
    at root)
  5. Clean up the cloned repo after the audit
Parsing rule: Extract the GitHub URL with this pattern:
https://github.com/<owner>/<repo>
And the skill name (if any) from 
--skill <name>
anywhere in the command.

Format 4: GitHub URL with skill name

audit https://github.com/org/repo --skill skill-name
audit https://github.com/org/repo skill-name
Same as Format 3 — clone, then audit 
skills/<name>/
or 
<name>/
.

Resolution summary

InputClone?Audit target
Local pathNoThe path as-is
GitHub URL onlyYes → 
/tmp/<repo>
Repo root
GitHub URL + 
--skill X
Yes → 
/tmp/<repo>
skills/X/
or 
X/
in repo
npx skills add URL
Yes → 
/tmp/<repo>
Repo root
npx skills add URL --skill X
Yes → 
/tmp/<repo>
skills/X/
or 
X/
in repo
After resolving, verify the target directory contains a 
SKILL.md
. If not, report an error.

Phase 1: Research

1.1 Run the automated scanner

bash
python3 {SKILL_DIR}/scripts/scan_skill.py <target-skill-path>
The scanner outputs JSON with:
  • File inventory (names, sizes, permissions, executability)
  • Pattern matches for dangerous imports, shell commands, obfuscation, credential access, filesystem access, and prompt injection
  • Summary counts

1.2 Read SKILL.md frontmatter and body

Read the target skill's 
SKILL.md
to understand:
  • Stated purpose: What the skill claims to do
  • Trigger conditions: When it activates
  • Instruction patterns: What it tells the agent to do

1.3 Read all script files

Read every 
.py
, 
.sh
, 
.js
, 
.ts
, 
.rb
file in the skill. For each:
  • Understand what the script does end-to-end
  • Note any network calls, file operations, or system commands
  • Check if input flows into dangerous operations (injection risk)
  • Look for obfuscated or encoded payloads

1.4 Read reference and instruction files

Read all 
.md
files in 
references/
and any other text files. Check for:
  • Prompt injection patterns hidden in documentation
  • Instructions that override safety or hide actions
  • Encoded content that doesn't match the stated purpose

1.5 Contextual analysis

For each finding from the scanner, determine:
  • Is this pattern justified by the skill's stated purpose?
  • Is the scope appropriate (working directory vs system-wide)?
  • Are targets hardcoded/known or dynamic/user-controlled?
  • Is code readable or deliberately obfuscated?
Consult references/security-checklist.md for the full risk taxonomy and contextual analysis guidelines.

Phase 2: Report

Generate 
SKILL_AUDIT.md
in the current working directory using this structure:
markdown
# Skill Audit Report: [skill-name]

**Date**: YYYY-MM-DD
**Skill Path**: path/to/skill
**Auditor**: skill-auditor v1.0

## Skill Overview

| Property | Value |
|----------|-------|
| Name | [from frontmatter] |
| Description | [from frontmatter] |
| Total Files | N |
| Script Files | N |
| Executable Files | N |
| Binary Files | N |

## Risk Summary

| Category | Findings | Severity |
|----------|----------|----------|
| Code Execution | N | Critical/High/Medium/Low/None |
| Network/Exfiltration | N | ... |
| Filesystem Access | N | ... |
| Privilege Escalation | N | ... |
| Obfuscation | N | ... |
| Prompt Injection | N | ... |
| Supply Chain | N | ... |
| Credential Exposure | N | ... |
| Persistence | N | ... |

**Overall Risk Level**: [SAFE / LOW / MEDIUM / HIGH / CRITICAL]

## Detailed Findings

### [Category Name] ([Severity])

**File**: `path/to/file:line`
**Pattern**: [what was detected]
**Context**: [the actual code/text]
**Analysis**: [Is this justified? What is the real risk?]

[Repeat for each finding]

## Files Inventory

[Table of all files with size, permissions, and notes]

## Verdict

### [SAFE TO INSTALL / INSTALL WITH CAUTION / DO NOT INSTALL]

**Reasoning**: [2-3 sentence summary of why]

**Key concerns** (if any):
1. [Specific concern with file:line reference]
2. [Specific concern with file:line reference]

**Mitigations** (if applicable):
1. [What the user can do to reduce risk]
2. [Specific files to review or modify]

Phase 3: Verdict

Apply the verdict decision matrix:
Risk LevelCriteriaVerdict
SAFENo findings or only informationalSAFE TO INSTALL
LOWMinor patterns with clear legitimate contextSAFE TO INSTALL (note findings)
MEDIUMNetwork calls, file access, or installs with plausible purposeINSTALL WITH CAUTION
HIGHObfuscation, credential access, injection, or escalation without justificationDO NOT INSTALL
CRITICALExfiltration, reverse shells, encoded payloads, or active prompt injectionDO NOT INSTALL
When delivering the verdict, present it clearly with:
  1. Verdict badge: Use the exact phrase for easy scanning
  2. One-line summary: What the skill does and whether that's safe
  3. Top 3 concerns: If any, with specific file:line references
  4. Recommendation: What to do next (install, review specific files, or reject)

Phase 4: Offer Installation (Safe/Low verdicts only)

If the verdict is SAFE TO INSTALL or INSTALL WITH CAUTION, ask the user if they want to install the skill now.

Reconstruct the install command

Build the 
npx skills add
command from the information gathered in Phase 0:
  • If the input was already an install command (
    npx skills add ...
    ): reuse it as-is
  • If the input was a GitHub URL (
    https://github.com/owner/repo
    ):
    • Without 
      --skill
      : 
      npx skills add https://github.com/owner/repo
    • With 
      --skill X
      : 
      npx skills add https://github.com/owner/repo --skill X
  • If the input was a local path: installation via 
    npx skills add
    is not applicable — skip this phase

Ask and install

Present the install command to the user and ask if they want to proceed:
The skill passed the audit. Would you like to install it now?
npx skills add https://github.com/owner/repo --skill skill-name
If the user confirms, run the command. If the verdict was INSTALL WITH CAUTION, remind them of the key concerns before asking.
Do NOT offer installation for DO NOT INSTALL verdicts.

Important Notes

  • Always read ALL files in the skill - never skip based on file extension alone
  • Binary files (.png, .pptx, etc.) cannot be scanned for content but note their presence
  • A finding is NOT automatically a vulnerability - apply contextual judgment
  • Skills that only contain 
    .md
    files with no scripts are generally lower risk
  • The scanner catches patterns, not intent - human-readable analysis is the core value