Why this exists
Agent skills are executable markdown + scripts that run with your shell's full authority, and the bar
to publish one is a SKILL.md and an account. No mandatory review, no signing, no sandbox by default. That
gap is already being exploited — the ClawHub campaign shipped 30+ malicious skills; Snyk's ToxicSkills
research found prompt injection in more than a third of the skills it tested.
There wasn't an obvious one-line way to look at a skill before installing it, so we built one. That's the
whole motivation: a checker that should exist. It's MIT-licensed and free because a tool for deciding
whether something is safe to run shouldn't put that decision behind a paywall — not as a selling point,
just as the sensible default.
How it works, in one picture
You give it a target; it clones (read-only, hooks disabled) or reads a local folder, enumerates the files,
runs a ruleset over them, and aggregates the findings into one verdict. Nothing in the skill is ever
executed.
$ npx skillsentry github.com/acme/cool-skill
⛔ BLOCK (1 high, 2 medium)
high dangerous-bash/curl-pipe-to-shell hooks/post.sh:12 curl -s $URL | sh
→ remote code piped to a shell; classic install-time RCE
→ OWASP ASI04 · MITRE ATLAS AML.T0011
verdict: BLOCK · report → ./skillsentry.{md,json} · exit 1
The guide explains every stage and every detector. The short version is below.
What it looks for
Detection is layered into tiers, each finding tagged to a recognised
framework (OWASP Agentic/MCP/LLM Top 10 + MITRE ATLAS) so it fits how security teams already work:
| Detector | Tier | Catches |
|---|
dangerous-bash | T0 | curl … | sh, reverse shells, secret reads, base64-piped payloads — install-time RCE |
prompt-injection | T0 | hidden/coercive instructions, zero-width unicode, homoglyphs, encoded & ANSI "line-jumping" payloads |
over-broad-perms | T0 | "Bash(*)" allow-all, network-reaching hooks, MCP servers fusing filesystem + network + secrets |
committed-secrets | T0 | API keys, tokens, private keys committed into the skill |
tool-description-poisoning | T0 | malicious instructions hidden in tool/skill descriptions the model reads but you don't |
resource-exhaustion | T0 | destructive rm -rf of a root path, fork bombs, and raw-disk wipes (dd/mkfs/shred) — denial of service |
audit-evasion | T0 | clearing shell history or tampering with /var/log to erase the trail |
dataflow-taint | T1 | multi-line / cross-file shell payloads where a tainted source reaches a dangerous sink |
…plus a temporal pass (not a ruleset detector): version-drift (T3) — the rug-pull, a skill that
gained dangerous capability after you approved it (raised by diffing against a .skillsentry.lock
baseline, not by a per-file rule).
What it doesn't catch matters too — it's a pre-run static check, not a sandbox or a proof of safety.
The threat model is explicit about the limits.
Beyond the CLI — the threat-stack platform
npx skillsentry is the trust anchor, but the repo also ships as a Claude Code plugin marketplace
called threat-stack (AUDIT ▸ MODEL ▸ EXTEND):
skillsentry (AUDIT) — the pure auditor as an in-editor command (/skillsentry:audit), running
the same deterministic CLI bundled in-repo (no npm install needed).threat-modeler (MODEL) — maps the probe set onto STRIDE + agentic axes, runs the
Elevation-of-Privilege gap ritual, and proposes new rules via PR (never self-merge).supersize-semgrep (EXTEND) — an opt-in, separate-trust-model Semgrep SAST extension that never
touches the auditor's zero-dependency core.
