skill-scanner
- Repo stars 337
- Author updated Live
- Author repo deadlock-mod-manager
- Domain
- AI
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @deadlock-mod-manager · no license declared
- Token usage
- Lean
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Env read
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-scanner
description: Scan agent skills for security issues before adoption. Detects prompt injection, malicious code…
category: ai
runtime: no special runtime
---
# skill-scanner output preview
## PART A: Task fit
- Use case: Scan agent skills for security issues before adoption. Detects prompt injection, malicious code, excessive permissions, secret exposure, and supply chain risks. Static analysis scanner that detects deterministic patterns. Outputs structured JSON. runs entirely locally. Works with Claude Code, Cursor, Cline and 23 more..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Bundled Script / scripts/scanskill.py / Workflow” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Scan agent skills for security issues before adoption. Detects prompt injection, malicious code, excessive permissions, secret exposure, and supply chain risks. Static analysis scanner that detects deterministic patterns. Outputs structured JSON. runs entirely locally. Works with Claude Code, Cursor, Cline and 23 more.”.
- **02** When the source has headings, the agent prioritizes “Bundled Script / scripts/scanskill.py / Workflow” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands, read environment variables; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands, read environment variables; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands, read environment variables.
Start with a small task and check whether the result follows “Bundled Script / scripts/scanskill.py / Workflow”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: skill-scanner
description: Scan agent skills for security issues before adoption. Detects prompt injection, malicious code…
category: ai
source: deadlock-mod-manager/deadlock-mod-manager
---
# skill-scanner
## When to use
- Scan agent skills for security issues before adoption. Detects prompt injection, malicious code, excessive permissions…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Bundled Script / scripts/scanskill.py / Workflow” and keep inference separate from source facts.
- read files, write/modify files, run shell commands, read environment variables; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "skill-scanner" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Bundled Script / scripts/scanskill.py / Workflow
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files, run shell commands, read environment variables | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Skill Security Scanner
Scan agent skills for security issues before adoption. Detects prompt injection, malicious code, excessive permissions, secret exposure, and supply chain risks.
Important: Run all scripts from the repository root using the full path via ${CLAUDE_SKILL_ROOT}.
Bundled Script
scripts/scan_skill.py
Static analysis scanner that detects deterministic patterns. Outputs structured JSON.
uv run ${CLAUDE_SKILL_ROOT}/scripts/scan_skill.py <skill-directory>
Returns JSON with findings, URLs, structure info, and severity counts. The script catches patterns mechanically — your job is to evaluate intent and filter false positives.
Workflow
Phase 1: Input & Discovery
Determine the scan target:
- If the user provides a skill directory path, use it directly
- If the user names a skill, look for it under
plugins/*/skills/<name>/or.claude/skills/<name>/ - If the user says "scan all skills", discover all
*/SKILL.mdfiles and scan each
Validate the target contains a SKILL.md file. List the skill structure:
ls -la <skill-directory>/
ls <skill-directory>/references/ 2>/dev/null
ls <skill-directory>/scripts/ 2>/dev/null
Phase 2: Automated Static Scan
Run the bundled scanner:
uv run ${CLAUDE_SKILL_ROOT}/scripts/scan_skill.py <skill-directory>
Parse the JSON output. The script produces findings with severity levels, URL analysis, and structure information. Use these as leads for deeper analysis.
Fallback: If the script fails, proceed with manual analysis using Grep patterns from the reference files.
Phase 3: Frontmatter Validation
Read the SKILL.md and check:
- Required fields:
nameanddescriptionmust be present - Name consistency:
namefield should match the directory name - Tool assessment: Review
allowed-tools— is Bash justified? Are tools unrestricted (*)? - Model override: Is a specific model forced? Why?
- Description quality: Does the description accurately represent what the skill does?
Phase 4: Prompt Injection Analysis
Load ${CLAUDE_SKILL_ROOT}/references/prompt-injection-patterns.md for context.
Review scanner findings in the "Prompt Injection" category. For each finding:
- Read the surrounding context in the file
- Determine if the pattern is performing injection (malicious) or discussing/detecting injection (legitimate)
- Skills about security, testing, or education commonly reference injection patterns — this is expected
Critical distinction: A security review skill that lists injection patterns in its references is documenting threats, not attacking. Only flag patterns that would execute against the agent running the skill.
Phase 5: Behavioral Analysis
This phase is agent-only — no pattern matching. Read the full SKILL.md instructions and evaluate:
Description vs. instructions alignment:
- Does the description match what the instructions actually tell the agent to do?
- A skill described as "code formatter" that instructs the agent to read ~/.ssh is misaligned
Config/memory poisoning:
- Instructions to modify
CLAUDE.md,MEMORY.md,settings.json,.mcp.json, or hook configurations - Instructions to add itself to allowlists or auto-approve permissions
- Writing to
~/.claude/or any agent configuration directory
Scope creep:
- Instructions that exceed the skill's stated purpose
- Unnecessary data gathering (reading files unrelated to the skill's function)
- Instructions to install other skills, plugins, or dependencies not mentioned in the description
Information gathering:
- Reading environment variables beyond what's needed
- Listing directory contents outside the skill's scope
- Accessing git history, credentials, or user data unnecessarily
Phase 6: Script Analysis
If the skill has a scripts/ directory:
- Load
${CLAUDE_SKILL_ROOT}/references/dangerous-code-patterns.mdfor context - Read each script file fully (do not skip any)
- Check scanner findings in the "Malicious Code" category
- For each finding, evaluate:
- Data exfiltration: Does the script send data to external URLs? What data?
- Reverse shells: Socket connections with redirected I/O
- Credential theft: Reading SSH keys, .env files, tokens from environment
- Dangerous execution: eval/exec with dynamic input, shell=True with interpolation
- Config modification: Writing to agent settings, shell configs, git hooks
- Check PEP 723
dependencies— are they legitimate, well-known packages? - Verify the script's behavior matches the SKILL.md description of what it does
Legitimate patterns: gh CLI calls, git commands, reading project files, JSON output to stdout are normal for skill scripts.
Phase 7: Supply Chain Assessment
Review URLs from the scanner output and any additional URLs found in scripts:
- Trusted domains: GitHub, PyPI, official docs — normal
- Untrusted domains: Unknown domains, personal sites, URL shorteners — flag for review
- Remote instruction loading: Any URL that fetches content to be executed or interpreted as instructions is high risk
- Dependency downloads: Scripts that download and execute binaries or code at runtime
- Unverifiable sources: References to packages or tools not on standard registries
Phase 8: Permission Analysis
Load ${CLAUDE_SKILL_ROOT}/references/permission-analysis.md for the tool risk matrix.
Evaluate:
- Least privilege: Are all granted tools actually used in the skill instructions?
- Tool justification: Does the skill body reference operations that require each tool?
- Risk level: Rate the overall permission profile using the tier system from the reference
Example assessments:
Read Grep Glob— Low risk, read-only analysis skillRead Grep Glob Bash— Medium risk, needs Bash justification (e.g., running bundled scripts)Read Grep Glob Bash Write Edit WebFetch Task— High risk, near-full access
Confidence Levels
| Level | Criteria | Action |
|---|---|---|
| HIGH | Pattern confirmed + malicious intent evident | Report with severity |
| MEDIUM | Suspicious pattern, intent unclear | Note as "Needs verification" |
| LOW | Theoretical, best practice only | Do not report |
False positive awareness is critical. The biggest risk is flagging legitimate security skills as malicious because they reference attack patterns. Always evaluate intent before reporting.
Output Format
## Skill Security Scan: [Skill Name]
### Summary
- **Findings**: X (Y Critical, Z High, ...)
- **Risk Level**: Critical / High / Medium / Low / Clean
- **Skill Structure**: SKILL.md only / +references / +scripts / full
### Findings
#### [SKILL-SEC-001] [Finding Type] (Severity)
- **Location**: `SKILL.md:42` or `scripts/tool.py:15`
- **Confidence**: High
- **Category**: Prompt Injection / Malicious Code / Excessive Permissions / Secret Exposure / Supply Chain / Validation
- **Issue**: [What was found]
- **Evidence**: [code snippet]
- **Risk**: [What could happen]
- **Remediation**: [How to fix]
### Needs Verification
[Medium-confidence items needing human review]
### Assessment
[Safe to install / Install with caution / Do not install]
[Brief justification for the assessment]
Risk level determination:
- Critical: Any high-confidence critical finding (prompt injection, credential theft, data exfiltration)
- High: High-confidence high-severity findings or multiple medium findings
- Medium: Medium-confidence findings or minor permission concerns
- Low: Only best-practice suggestions
- Clean: No findings after thorough analysis
Reference Files
| File | Purpose |
|---|---|
references/prompt-injection-patterns.md |
Injection patterns, jailbreaks, obfuscation techniques, false positive guide |
references/dangerous-code-patterns.md |
Script security patterns: exfiltration, shells, credential theft, eval/exec |
references/permission-analysis.md |
Tool risk tiers, least privilege methodology, common skill permission profiles |
Decide Fit First
Design Intent
How To Use It
Boundaries And Review