skill-security-auditor

Trigger phrases

Phrases that activate this skill when typed to Claude Code:

• audit this skill
• scan skill for security issues
• security check before install

What it does

skill-security-auditor is a meta security gate. Before you install a Claude Code skill from a third-party source, you run it through this auditor, which scans for the categories of risk that matter when you’re about to give a skill access to your shell, your filesystem, and your code:

• Command injection — does the skill build shell commands from untrusted input?
• Arbitrary code execution — does it eval or dynamically import based on inputs?
• Data exfiltration — does it make network calls that send data outward in non-obvious ways?
• Privilege escalation — does it try to write outside its scope, modify settings, or chain permissions?

It runs entirely with zero external dependencies (a stated design choice) so the auditor itself doesn’t introduce supply-chain risk. Ships with its own CLI tool for batch auditing.

When to use it

• Before installing any skill from a source you haven’t vetted (GitHub repo, gist, a pasted SKILL.md)
• Reviewing a skill pack you’re considering buying or adopting at a team level
• After updating an existing skill — same source, but new behavior worth re-auditing
• Building your own skill and wanting a self-check before publication

When not to reach for it:

• Skills from sources you’ve already audited (skip; trust earned)
• Skills that don’t include any executable code (purely descriptive SKILL.md with no scripts) — the auditor doesn’t have much to find
• Adversarial scenarios where the skill is deliberately obfuscated — pair with manual review

Install

From the claude-skills repo under engineering/skill-security-auditor/. Install via the documented path. Check the repo for the bundled CLI tool which can audit multiple skills in one pass.

What a session looks like

1. You point the skill at a target skill — a folder, a SKILL.md, or a repo URL.
2. It scans the target for the four risk categories above, checking the SKILL.md contents and any supporting scripts/files.
3. It outputs a structured report: each finding with severity, the specific line / file, why it’s flagged, and the recommended action (install / install-with-caveats / don’t install).
4. You get a binary install / don’t recommendation plus the detail to override that recommendation if you understand the tradeoff.

The discipline: zero external dependencies. The auditor itself can’t be the supply-chain risk it’s protecting you from.

Receipts

Where it works well:

• Catches obvious shell-injection patterns reliably (string concat into exec, etc.)
• Surfaces network calls that exfiltrate data, including ones obscured by indirection
• The “zero external deps” design means the auditor itself is verifiable in minutes

Where it backfires:

• Sophisticated obfuscation can hide patterns from the static scanner — pair with manual review for high-stakes cases
• Some legitimate skills (e.g., ones that genuinely need network access or shell exec) will get flagged; the auditor distinguishes risk from intent imperfectly
• Doesn’t catch logic-level issues — a skill that does what it claims but the what is bad still passes

Pattern that works: run it as a gate before installing any third-party skill, treating its findings as a strong signal but not the final word. For genuinely security-sensitive contexts (regulated, financial, healthcare), pair with a human review of the highest-severity findings.

Source and attribution

From Alireza Rezvani’s claude-skills repository. Featured as a v2.0.0 addition to his Engineering POWERFUL Tier.

License: MIT, zero external dependencies — the auditor is verifiable in its own right.

For the canonical CLI usage, latest detection rules, and updates, defer to the source repo.