skill-auditor

Original：🇺🇸 English

Translated

1 scripts

Analyze agent skills for security risks, malicious patterns, and potential dangers before installation. Use when asked to "audit a skill", "check if a skill is safe", "analyze skill security", "review skill risk", "should I install this skill", "is this skill safe", or when evaluating any skill directory for trust and safety. Also triggers when the user pastes a skill install command like "npx skills add https://github.com/org/repo --skill name". Produces a comprehensive security report with a clear install/reject verdict.

2installs

Sourcemontimage/skills

Added on2026-02-09

NPX Install

npx skill4agent add montimage/skills skill-auditor

SKILL.md Content

View Translation Comparison →

Skill Auditor

Analyze agent skill directories for security risks and provide an install/reject verdict.

Workflow

Auditing a skill follows these phases:

Resolve input - Parse the user's input to locate the skill
Research - Scan and understand what the skill does
Report - Produce a detailed findings report
Verdict - Deliver a clear install/reject recommendation

Phase 0: Resolve Input

The user may provide the skill target in several formats. Parse the input and resolve it to a local directory before proceeding.

Format 1: Local path

audit skills/my-skill/
audit /path/to/skill-dir

Use the path directly.

Format 2: GitHub URL

audit https://github.com/org/repo

Clone the repo to

/tmp/<repo-name>

, audit the root as the skill directory. Clean up after.

Format 3: Install command (npx skills add)

npx skills add https://github.com/org/repo --skill skill-name
npx skills add https://github.com/org/repo

Extract the GitHub URL and optional

--skill

name:

Parse the URL from the command (the
```
https://github.com/...
```
part)
Clone the repo to
```
/tmp/<repo-name>
```
If
```
--skill <name>
```
is present, the audit target is the subdirectory
```
skills/<name>/
```
within the cloned repo. If that path doesn't exist, try
```
<name>/
```
at the repo root.
If no
```
--skill
```
flag, audit the repo root as a single skill (look for
```
SKILL.md
```
at root)
Clean up the cloned repo after the audit

Parsing rule: Extract the GitHub URL with this pattern:

https://github.com/<owner>/<repo>

And the skill name (if any) from

--skill <name>

anywhere in the command.

Format 4: GitHub URL with skill name

audit https://github.com/org/repo --skill skill-name
audit https://github.com/org/repo skill-name

Same as Format 3 — clone, then audit

skills/<name>/

or

<name>/

.

Resolution summary

Input	Clone?	Audit target
Local path	No	The path as-is
GitHub URL only	Yes → `/tmp/<repo>`	Repo root
GitHub URL + `--skill X`	Yes → `/tmp/<repo>`	`skills/X/` or `X/` in repo
`npx skills add URL`	Yes → `/tmp/<repo>`	Repo root
`npx skills add URL --skill X`	Yes → `/tmp/<repo>`	`skills/X/` or `X/` in repo

After resolving, verify the target directory contains a

SKILL.md

. If not, report an error.

Phase 1: Research

1.1 Run the automated scanner

bash

python3 {SKILL_DIR}/scripts/scan_skill.py <target-skill-path>

The scanner outputs JSON with:

File inventory (names, sizes, permissions, executability)
Pattern matches for dangerous imports, shell commands, obfuscation, credential access, filesystem access, and prompt injection
Summary counts

1.2 Read SKILL.md frontmatter and body

Read the target skill's

SKILL.md

to understand:

Stated purpose: What the skill claims to do
Trigger conditions: When it activates
Instruction patterns: What it tells the agent to do

1.3 Read all script files

Read every

.py

,

.sh

,

.js

,

.ts

,

.rb

file in the skill. For each:

Understand what the script does end-to-end
Note any network calls, file operations, or system commands
Check if input flows into dangerous operations (injection risk)
Look for obfuscated or encoded payloads

1.4 Read reference and instruction files

Read all

.md

files in

references/

and any other text files. Check for:

Prompt injection patterns hidden in documentation
Instructions that override safety or hide actions
Encoded content that doesn't match the stated purpose

1.5 Contextual analysis

For each finding from the scanner, determine:

Is this pattern justified by the skill's stated purpose?
Is the scope appropriate (working directory vs system-wide)?
Are targets hardcoded/known or dynamic/user-controlled?
Is code readable or deliberately obfuscated?

Consult references/security-checklist.md for the full risk taxonomy and contextual analysis guidelines.

Phase 2: Report

Generate

SKILL_AUDIT.md

in the current working directory using this structure:

markdown

# Skill Audit Report: [skill-name]

**Date**: YYYY-MM-DD
**Skill Path**: path/to/skill
**Auditor**: skill-auditor v1.0

## Skill Overview

| Property | Value |
|----------|-------|
| Name | [from frontmatter] |
| Description | [from frontmatter] |
| Total Files | N |
| Script Files | N |
| Executable Files | N |
| Binary Files | N |

## Risk Summary

| Category | Findings | Severity |
|----------|----------|----------|
| Code Execution | N | Critical/High/Medium/Low/None |
| Network/Exfiltration | N | ... |
| Filesystem Access | N | ... |
| Privilege Escalation | N | ... |
| Obfuscation | N | ... |
| Prompt Injection | N | ... |
| Supply Chain | N | ... |
| Credential Exposure | N | ... |
| Persistence | N | ... |

**Overall Risk Level**: [SAFE / LOW / MEDIUM / HIGH / CRITICAL]

## Detailed Findings

### [Category Name] ([Severity])

**File**: `path/to/file:line`
**Pattern**: [what was detected]
**Context**: [the actual code/text]
**Analysis**: [Is this justified? What is the real risk?]

[Repeat for each finding]

## Files Inventory

[Table of all files with size, permissions, and notes]

## Verdict

### [SAFE TO INSTALL / INSTALL WITH CAUTION / DO NOT INSTALL]

**Reasoning**: [2-3 sentence summary of why]

**Key concerns** (if any):
1. [Specific concern with file:line reference]
2. [Specific concern with file:line reference]

**Mitigations** (if applicable):
1. [What the user can do to reduce risk]
2. [Specific files to review or modify]

Phase 3: Verdict

Apply the verdict decision matrix:

Risk Level	Criteria	Verdict
SAFE	No findings or only informational	SAFE TO INSTALL
LOW	Minor patterns with clear legitimate context	SAFE TO INSTALL (note findings)
MEDIUM	Network calls, file access, or installs with plausible purpose	INSTALL WITH CAUTION
HIGH	Obfuscation, credential access, injection, or escalation without justification	DO NOT INSTALL
CRITICAL	Exfiltration, reverse shells, encoded payloads, or active prompt injection	DO NOT INSTALL

When delivering the verdict, present it clearly with:

Verdict badge: Use the exact phrase for easy scanning
One-line summary: What the skill does and whether that's safe
Top 3 concerns: If any, with specific file:line references
Recommendation: What to do next (install, review specific files, or reject)

Phase 4: Offer Installation (Safe/Low verdicts only)

If the verdict is SAFE TO INSTALL or INSTALL WITH CAUTION, ask the user if they want to install the skill now.

Reconstruct the install command

Build the

npx skills add

command from the information gathered in Phase 0:

If the input was already an install command (
```
npx skills add ...
```
): reuse it as-is

If the input was a GitHub URL (

https://github.com/owner/repo

):

Without

--skill

:

npx skills add https://github.com/owner/repo

With

--skill X

:

npx skills add https://github.com/owner/repo --skill X

If the input was a local path: installation via
```
npx skills add
```
is not applicable — skip this phase

Ask and install

Present the install command to the user and ask if they want to proceed:

The skill passed the audit. Would you like to install it now?
npx skills add https://github.com/owner/repo --skill skill-name

If the user confirms, run the command. If the verdict was INSTALL WITH CAUTION, remind them of the key concerns before asking.

Do NOT offer installation for DO NOT INSTALL verdicts.

Important Notes

Always read ALL files in the skill - never skip based on file extension alone
Binary files (.png, .pptx, etc.) cannot be scanned for content but note their presence
A finding is NOT automatically a vulnerability - apply contextual judgment
Skills that only contain
```
.md
```
files with no scripts are generally lower risk
The scanner catches patterns, not intent - human-readable analysis is the core value