Skills skill-review
git clone https://github.com/openclaw/skills
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/antaisecuritylab/ant-skill-review" ~/.claude/skills/clawdbot-skills-skill-review && rm -rf "$T"
skills/antaisecuritylab/ant-skill-review/SKILL.mdskill-review
A multi-agent security scanner CLI for Claude Code Skill packages. It combines deterministic static pre-scanning with LLM-driven deep analysis to surface security risks across 7 layers before you install a Skill.
When to use
- Auditing a third-party Skill before installation
- Checking a skill directory for prompt injection, credential theft, data exfiltration, or hidden backdoors
- Evaluating supply chain risk of a Skill's npm/PyPI dependencies
- CI/CD integration to block high-risk Skills automatically
How it works
The scanner runs in two phases:
-
Pre-scan (deterministic, no LLM) — walks all files and flags: symlinks, suspicious filenames (Unicode confusables, shell metacharacters), large files, binary executables, invisible characters, ANSI escape sequences, JS obfuscation patterns, and hardcoded URLs.
-
LLM Analysis — an Explore Agent reads each file and performs 7-layer analysis:
- Layer 1: Prompt Injection (direct injection, jailbreak, remote prompt loading)
- Layer 2: Malicious Behavior (credential theft, data exfiltration, sandbox escape)
- Layer 3: Dynamic Code Loading (remote execution via fetch+eval, curl|sh, etc.)
- Layer 4: Obfuscation & Binary (obfuscated scripts, compiled binaries)
- Layer 5: Dependencies & Supply Chain (npm/PyPI/CLI tool inventory, typosquat detection)
- Layer 6: System Modification (global installs, profile changes, cron jobs)
- Layer 7: Code Quality (hardcoded secrets, insecure configs, vulnerable code patterns)
An optional Deep Analysis Agent then verifies URLs, checks dependency metadata on registries, and inspects binaries.
-
Deterministic Scoring — each finding is scored based on its type and severity. The overall risk level (safe/low/medium/high/critical) and recommendation (install/caution/do_not_install) are computed deterministically, not by the LLM.
Installation
cd <skill-review-dir> npm install
Configuration
Create
.env| Variable | Description | Default |
|---|---|---|
| LLM API base URL (OpenAI-compatible) | required |
| API key | required |
| Model name | |
| npm registry for dependency checks | |
| PyPI index for dependency checks | |
Alternatively, pass a JSON config file via
--configUsage
# Standard scan (pre-scan + LLM explore) node index.mjs <skill-dir> # Pre-scan only (no LLM, fast) node index.mjs --pre <skill-dir> # Deep analysis (pre-scan + explore + deep verification of URLs/deps/binaries) node index.mjs --deep <skill-dir> # JSON output, save to file node index.mjs --json -o report.json <skill-dir> # Chinese language report node index.mjs --lang zh <skill-dir> # Verbose logs to stderr + log file node index.mjs -v --log scan.log <skill-dir>
Options
| Option | Description |
|---|---|
| Path to the skill directory to scan (required, positional) |
| Path to JSON config file |
| Run pre-scan only (no LLM calls) |
| Enable deep analysis phase |
| Report language (default: English) |
| Output raw JSON instead of text report |
| Save report to file (default: stdout) |
| Save detailed logs to file |
| Stream detailed logs to stderr |
| Show help |
Output
The text report shows each layer with a risk score (0-10), star rating, and up to 5 findings per layer. The JSON output contains the full structured result with all findings, layer scores, overall risk, and recommendation.
Risk levels:
safelowmediumhighcriticalRecommendations:
installcautiondo_not_install