From lawvable-awesome-legal-skills
Audits AI agent skills for security threats before installation. Runs static checks across ten categories including code execution, credential harvesting, prompt injection, and supply-chain hooks, producing a PASS/WARN/FAIL verdict.
How this skill is triggered — by the user, by Claude, or both
Slash command
/lawvable-awesome-legal-skills:skill-security-auditor-antoine-louisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Static analysis for AI agent skills. Run it on any skill from outside your own
Static analysis for AI agent skills. Run it on any skill from outside your own trust boundary before letting an agent execute its scripts. The auditor walks the entire skill directory and emits findings across ten threat categories, then collapses them into a single verdict that CI can gate on.
This skill is paranoid by design. It assumes a skill author may be trying to compromise the host system, exfiltrate credentials, persist beyond the session, or inject hostile instructions into the model. Most skills will trip a couple of LOW or MEDIUM findings — that's expected. The signal worth acting on is CRITICAL and HIGH.
Trigger this skill when the user:
Do not use this skill when the user is auditing their own first-party code — there are better static-analysis tools (Semgrep, Bandit, CodeQL) for that. This skill specializes in the specific attack surface of AI agent skills: SKILL.md prompt injection, malicious tool helpers, supply-chain hooks in dependency manifests, and persistence mechanisms that survive the agent session.
# Audit a local directory
python3 scripts/audit.py /path/to/skill
# Audit a git repo (cloned to a temp dir, optionally cleaned up after)
python3 scripts/audit.py https://github.com/example/some-skill.git --cleanup
# Strict mode — treat HIGH findings as blocking (recommended for CI)
python3 scripts/audit.py ./skill --strict
# Machine-readable output for CI
python3 scripts/audit.py ./skill --json --output report.json
# Markdown report suitable for pasting into a PR comment
python3 scripts/audit.py ./skill --markdown --output review.md
# Audit a sub-skill inside a repo containing several
python3 scripts/audit.py ./repo --skill skills/my-skill
Exit codes: 0 PASS · 1 FAIL · 2 WARN · 3 usage/IO error.
Every file under the skill root is classified and routed to the appropriate
scanner. The categories below summarize what each scanner looks for;
references/threat-model.md covers the why in depth.
| Category | Severity span | Examples |
|---|---|---|
| Code execution | HIGH–CRITICAL | eval, exec, os.system, subprocess(shell=True), dynamic getattr |
| Network exfil | MEDIUM–CRITICAL | hardcoded IPs, webhook sinks (webhook.site, ngrok, interact.sh), requests.post to runtime URLs |
| Credential harvest | HIGH–CRITICAL | reads from ~/.ssh, ~/.aws, ~/.gnupg, sensitive env vars, browser cookie DBs |
| Persistence | HIGH–CRITICAL | cron, systemd, launchctl, shell rc files, git hooks, authorized_keys, registry Run keys |
| Prompt injection | MEDIUM–CRITICAL | "ignore previous instructions", role markers, <|im_start|>system, hidden HTML comments |
| Supply chain | MEDIUM–CRITICAL | unpinned deps, typosquats (Levenshtein 1–2 from popular packages), npm postinstall hooks |
| Obfuscation | MEDIUM–HIGH | base64-decoded code, chr(...) chains, hex-escape blobs, Bidi / Trojan Source |
| Filesystem | LOW–CRITICAL | binaries, symlinks escaping the skill, SUID bits, writes to /etc, rm -rf patterns |
| Secrets | HIGH–CRITICAL | AWS keys, GitHub tokens, OpenAI/Anthropic keys, private key headers, JWTs |
| CI workflow | HIGH–CRITICAL | unescaped ${{ github.event.* }} in run:, pull_request_target with checkout |
The scanners run in this order: structure → filesystem → supply-chain → workflows → prompts → code. A malformed skill surfaces the structural issue first instead of drowning the reviewer in cascade findings.
The verdict is a three-state collapse of the findings:
--strict mode.
Means: do not install. Either there's a clear malicious pattern, or
there's something that needs explanation from the skill author before
it can be trusted.For automated gates, run with --strict. The default (non-strict) mode is
for interactive review where a human is in the loop.
Each finding has the same shape:
🔴 CRITICAL (3 findings)
────────────────────────────────────────────────────────────────────────
scripts/install.py
scripts/install.py:42 [CODE-EXEC]
│ os.system(base64.b64decode(payload).decode())
Risk: Decodes and executes a base64-encoded payload at runtime
Fix: Remove. Skills must not execute arbitrary decoded strings.
CODE-EXEC) is stable across runs — use it to
build baseline rules or filter in CI.....Two suppression mechanisms exist, intentionally orthogonal:
1. Line-level (# noqa: SEC-AUDITOR) — when a legitimate skill genuinely
needs a flagged pattern. Add the marker as a trailing comment on the line:
import pickle # noqa: SEC-AUDITOR — internal-only cache, never deserialized from network
Equivalent markers auditor:ignore-line and audit-skip also work. Lines
with any of these markers are skipped during scanning.
2. Baseline file (fingerprint suppression) — for accepting findings
without modifying source. Each finding has a stable 16-char fingerprint
derived from sha256(file + snippet + pattern + category) — line numbers
don't matter, so the fingerprint survives reformatting and reordering.
Get fingerprints from a JSON run:
python3 scripts/audit.py ./skill --json | jq '.findings[] | {fingerprint, category, file}'
Then commit a baseline.yml:
suppressions:
- fingerprint: a1b2c3d4e5f60718
reason: reviewed 2025-04-30, internal HTTP call to corporate API
- fingerprint: 0123456789abcdef
reason: false positive in vendored library, see ticket SEC-441
And run with --baseline baseline.yml. See assets/baseline.example.yml
for the full schema.
GitHub Actions, gated on CRITICAL findings, opening a PR comment on WARN:
name: Skill security audit
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: { python-version: '3.11' }
- name: Clone auditor
run: git clone https://github.com/your-org/skill-security-auditor.git /tmp/auditor
- name: Run audit
id: audit
run: |
python3 /tmp/auditor/scripts/audit.py . \
--strict \
--markdown \
--output audit-report.md
continue-on-error: true
- name: Post review comment
if: always()
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const body = fs.readFileSync('audit-report.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body
});
- name: Fail on critical
if: steps.audit.outcome == 'failure'
run: exit 1
For pre-commit, just call the auditor directly:
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: skill-audit
name: skill-security-auditor
entry: python3 scripts/audit.py
args: [--strict, --quiet]
language: system
pass_filenames: false
always_run: true
Detailed reading lives in the references/ directory:
references/threat-model.md — Full taxonomy of attacks a malicious
skill can mount, with concrete examples per category. Read this if you're
writing a new pattern or evaluating whether the auditor covers a given
attack scenario.references/pattern-catalog.md — Complete list of every pattern the
auditor recognizes, grouped by category, with example malicious source
and the regex that catches it.references/remediation-guide.md — How to fix each finding category.
Linked from the fix field when guidance doesn't fit in one line.Stated honestly because security tools that pretend to be exhaustive are worse than ones that admit gaps:
requests.post(url, data=secret)
and flags it, but it doesn't trace whether url came from a trusted
config. False positives are accepted as the cost of catching real
exfiltration.pip-audit /
npm audit for known-CVE coverage.Skills run with the agent's full execution capability. A compromised skill can read your credentials, exfiltrate your data, persist on your system, or inject hostile instructions into the model that survive across conversations. Software that ingests untrusted code without static review is software that gets owned. This skill is the static review.
npx claudepluginhub lawve-ai/awesome-legal-skillsScans AI agent skills for security risks before installation, detecting code execution, prompt injection, and credential harvesting. Use when evaluating skills from untrusted sources.
Scans third-party skills for malicious patterns before installation. Detects prompt injection, RCE, credential theft, and social engineering across 6 audit phases.
Vets AI agent skills, prompts, and instructions for typosquatting, dangerous permissions, prompt injection, supply chain risks, and data exfiltration before deployment.