Skill

external-skill-auditor

Audit third-party Agent Skills before install or repo promotion. Use when evaluating external skill sources, hooks, scripts, provenance, credentials, network behavior, or destructive commands. NOT for creating skills, code review, or appsec scans.

Install

npx claudepluginhub wyattowalsh/agents --plugin agents

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Audit third-party Agent Skills as trust-bearing assets before installing them

Supporting Assets

evals/evals.jsonreferences/import-checklist.mdscripts/audit_external_skill.py

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

169.2k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

169.2k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

169.2k

Stats

Stars2

Forks1

Last CommitApr 26, 2026

Actions

View Source View Plugin View on GitHub View README

External Skill Auditor

Audit third-party Agent Skills as trust-bearing assets before installing them globally or promoting them into this repository.

Scope: External skill import review only. NOT for creating skills (skill-creator), normal code review (honest-review), dependency/appsec scanning (security-scanner), or broad skill discovery (discover-skills).

Dispatch

`$ARGUMENTS`	Mode	Action
Empty	`menu`	Show audit modes, required evidence, and outcome categories
`triage <source>`	`triage`	Classify source reputation, registry signal, install syntax, and dedupe risk
`inspect <path>`	`inspect`	Review local staged skill files for frontmatter, hooks, scripts, and command risk
`commands <path>`	`commands`	Extract and classify shell commands, package-manager calls, and network operations
`provenance <source>`	`provenance`	Check source URL, owner, license, commit/hash, and registry/source-list consistency
`decision <source-or-path>`	`decision`	Produce install-now / inspect / keep-global / build-local / avoid recommendation
`scan <path>`	`scan`	Run the local static scanner and interpret its JSON output
Natural language about external skills, registries, hooks, scripts, or importing	Auto-detect the closest mode

Outcome Categories

Category	Meaning
`install now`	Reputable source, clear gap, no risky executable surface after inspection
`inspect then install`	Useful candidate with unresolved scripts, hooks, credentials, or provenance questions
`keep global only`	Useful personally, but duplicate or too operational for repo promotion
`build locally`	Concept is valuable but external options are weak, stale, or too broad
`avoid/duplicate`	Unsafe, untrusted, source-conflicted, stale, or redundant with repo skills

Canonical Vocabulary

Use these canonical terms exactly in audit reports.

Term	Meaning
source-list	Read-only `npx skills add <source> --list` result used before install
executable surface	Hook, script, command substitution, shell snippet, binary, or package script
source conflict	Registry metadata and source-list/install behavior disagree
provenance	Source owner, URL, license, commit, content hash, and access date
credential behavior	How a skill reads, stores, transmits, or asks for secrets and tokens
promotion	Moving an external skill into this repo's tracked catalog or docs
outcome category	One of `install now`, `inspect then install`, `keep global only`, `build locally`, or `avoid/duplicate`

Classification Gate

Classify the request before auditing:

If the user asks to create or improve a skill, route to skill-creator.
If the user asks for normal code review, route to honest-review.
If the user asks for app vulnerability or dependency scanning, route to security-scanner.
If the user asks for broad skill discovery, route to discover-skills.
Otherwise, choose the closest mode from the dispatch table.

Audit Workflow

Capture the intended source and install command exactly.
Run only source-list or read-only inspection first, such as:
```
npx skills add <source> --list
```
Read the candidate SKILL.md and all referenced files before installing.
Inspect hooks, scripts, allowed tools, command substitutions, shell snippets, network calls, env access, credential storage, and filesystem writes.
Check dedupe against repo-owned and globally installed skills.
Decide with one of the outcome categories and include the evidence boundary.

For local staged skill directories, run:

uv run python skills/external-skill-auditor/scripts/audit_external_skill.py <skill-dir>

Treat the script output as a first-pass signal only. Human review still decides whether commands are intentional, documented, and acceptable for the skill's purpose.

Progressive Disclosure

Start with this SKILL.md for routing, outcome categories, and hard rules.
Read references/import-checklist.md when making any install, promotion, or avoid decision.
Run scripts/audit_external_skill.py only for local staged skill directories.
Do not load unrelated code-review, appsec, or skill-authoring guidance unless the classification gate redirects.

Import Checklist

Use references/import-checklist.md for the full gate. Minimum checks:

Source owner, URL, license, install count, and current source-list behavior.
Resolved commit SHA and content hash before repo promotion.
Frontmatter validity and description fit for this repo.
hooks, allowed-tools, scripts, and executable files.
Commands that mutate git, install packages, write home directories, or call APIs.
Credential/env var handling, network egress, telemetry, and data upload behavior.
Duplicate concepts already covered by repo skills.

Critical Rules

Require npx skills add <source> --list evidence before any install decision.
Inspect hooks, scripts, binaries, and command substitutions before approving promotion.
Block source conflicts where registry metadata and source-list behavior disagree.
Redact secret values while reporting credential-handling issues.
Refuse to run candidate scripts during audit except syntax/static checks in a staging path.
Downgrade unknown community sources unless install count, recency, and code inspection compensate.
Record evidence date because registry counts and source contents drift.
Classify every candidate into exactly one outcome category.

Reference File Index

File	Read When
`references/import-checklist.md`	Running any audit, decision, or repo-promotion review

Script	Run When
`scripts/audit_external_skill.py`	Static first-pass scan of a local external skill directory

Output Shape

## External Skill Audit

- Candidate:
- Source:
- Intended install command:
- Outcome:
- Confidence:
- Trust blockers:

### Evidence
- Source/provenance:
- Registry/source-list:
- Dedupe:
- Executable surfaces:
- Credential/network behavior:
- Script scan:

### Required Follow-up
- ...

Validation Contract

Before declaring this skill complete after edits:

uv run wagents validate
uv run wagents eval validate
uv run python audit.py skills/external-skill-auditor
uv run wagents package external-skill-auditor --dry-run
uv run python skills/external-skill-auditor/scripts/audit_external_skill.py skills/external-skill-auditor

Completion criteria:

Skill and eval validation pass.
Audit score is A or all remaining findings are explicitly accepted.
Package dry-run passes.
Static scanner returns JSON without executing candidate scripts.
Smoke review covers source triage, local scan, hook/script risk, and negative-control routing.