Skill Security Scanner

Scan agent skills for security issues before adoption. Detects prompt injection, malicious code, excessive permissions, secret exposure, and supply chain risks.

Important: Run all scripts from the repository root using the full path via ${CLAUDE_SKILL_ROOT}.

Bundled Script

scripts/scan_skill.py

Static analysis scanner that detects deterministic patterns. Outputs structured JSON.

uv run ${CLAUDE_SKILL_ROOT}/scripts/scan_skill.py <skill-directory>

Returns JSON with findings, URLs, structure info, and severity counts. The script catches patterns mechanically — your job is to evaluate intent and filter false positives.

Workflow