safe-skills

safe-skills

Security scanner for LLM-powered applications. Detects vulnerabilities across prompt injection, data disclosure, tool misuse, agent trust boundaries, and more — using SAFE-MCP SAFE-T techniques as the primary taxonomy, with OWASP LLM/Agentic and agentic controls as secondary mappings.

Works natively in Claude Code, Codex, and Cursor through platform-specific adapters.

Quick Start

Pick your platform:

Claude Code (plugin):

claude plugin add bishnubista/safe-skills

From source (recommended for manual installs):

git clone https://github.com/bishnubista/safe-skills.git && cd safe-skills
./scripts/install.sh --codex

Use --claude, --cursor, or --all as needed.

Verified remote bootstrap (optional):

SAFE_SKILLS_REF="<immutable-tag-or-commit>"
SAFE_SKILLS_ARCHIVE_SHA256="<sha256-from-signed-release-metadata>"

curl -fsSLo /tmp/safe-skills-remote-install.sh \
  "https://raw.githubusercontent.com/bishnubista/safe-skills/${SAFE_SKILLS_REF}/scripts/remote-install.sh"

bash /tmp/safe-skills-remote-install.sh \
  --ref "$SAFE_SKILLS_REF" \
  --archive-sha256 "$SAFE_SKILLS_ARCHIVE_SHA256" \
  -- --codex

Replace --codex with --claude, --cursor, or --all. Do not use curl | bash and do not use mutable refs like main.

Install Targets

Platform	What Gets Installed	Location
Claude Code	SKILL.md bundle + references	~/.claude/skills/llm-vulnerability-scan/
Codex	SKILL.md bundle + openai.yaml + references	~/.agents/skills/llm-vulnerability-scan/
Cursor	Rule file	~/.cursor/rules/safe-skills-security-scan.md

Use --force to upgrade an existing install. Use --symlink for live-dev mode. Run ./scripts/install.sh --help for all options.

Usage

Claude Code

/safe-skills:scan              # Full scan (all severities)
/safe-skills:scan quick        # Quick scan (Critical + High only)

Codex

$llm-vulnerability-scan run a full SAFE-T-first scan for this repo
$llm-vulnerability-scan run a quick critical/high scan

Cursor

Ask in chat:

Scan this repo for LLM and MCP security issues using SAFE-T primary mapping.

Auto-Discovery

The scanner activates automatically when you discuss:

• OWASP LLM security or prompt injection risks
• Agent safety audits or MCP security
• Tool poisoning, data disclosure, or privilege escalation

Defaults

Setting	Default	Override
Scan type	Full (all severities)	Pass quick for Critical + High only
Scan scope	Repo (tracked files)	Pass include-local-config for untracked files

What Gets Scanned

The scanner runs three phases:

Phase 1 — Discovery: Detects project type, finds LLM SDK imports (OpenAI, Anthropic, LangChain, etc.), and locates agent/MCP configs.

Phase 2 — Parallel Scan: Six workers scan simultaneously by security theme:

Worker	Theme	SAFE-T Techniques
1	Injection and Goal Hijack	SAFE-T1102, SAFE-T1110, SAFE-T1401, SAFE-T1402, SAFE-T1001, SAFE-T1008
2	Data Disclosure and Supply Chain	SAFE-T1502, SAFE-T1503, SAFE-T1505, SAFE-T1002, SAFE-T1003, SAFE-T1207, SAFE-T1004, SAFE-T1006, SAFE-T1009, SAFE-T1204, SAFE-T2107
3	Output, Tool Misuse and Execution	SAFE-T1101, SAFE-T1105, SAFE-T1104, SAFE-T1106, SAFE-T1302, SAFE-T1103, SAFE-T1109, SAFE-T1205, SAFE-T1111, SAFE-T1303, SAFE-T1305
4	Identity, Memory and RAG	SAFE-T2106, SAFE-T1304, SAFE-T1306, SAFE-T1308, SAFE-T1202, SAFE-T1206, SAFE-T1702
5	Reliability, Trust and Inter-Agent	SAFE-T2105, SAFE-T1404, SAFE-T2102, SAFE-T1701, SAFE-T1705, SAFE-T1904
6	Agentic Controls and Governance	AC01–AC05 (using SAFE-T evidence)

Phase 3 — Report: Findings are sorted by severity, secret values are redacted, and output is saved to docs/security/llm-vulnerability-report.md.

Frameworks Covered

Framework	Version	Role
SAFE-MCP	v1.0	Primary taxonomy — findings keyed by SAFE-T####
OWASP LLM Top 10	2025	Secondary mapping (LLM01–LLM10)
OWASP Agentic Top 10	2026	Secondary mapping (ASI01–ASI10)
Agentic Controls (SAIF/NIST aligned)	N/A	Secondary mapping (AC01–AC05)

Report Format

Each finding includes:

• SAFE-T ID and human-readable title
• Severity (Critical / High / Medium / Low / Informational)
• File path and line number with code snippet (secret-bearing values redacted)
• Secondary mappings to OWASP LLM, OWASP Agentic, and Agentic Controls
• Remediation guidance with applicable SAFE-M mitigations

Example: