skill-security-scan
🥈Silverskill-security-scan is a command-line tool designed to scan and detect security risks in Claude Skills. Before installing third-party Skills, use this tool for security review to effectively prevent malicious code from stealing data or compromising your system.
11910Updated 1mo ago
Intermediate30min to implementautomation
Saves ~30 min per use
Quick InstallView Source
git clone https://github.com/huifer/skill-security-scan.gitWorks with:
Claude
Overview
About This Skill
skill-security-scan is a command-line tool designed to scan and detect security risks in Claude Skills. Before installing third-party Skills, use this tool for security review to effectively prevent malicious code from stealing data or compromising your system.
How to Use
[{"step":"Install the `skill-security-scan` tool if not already installed. Run `pip install skill-security-scan` in your terminal.","tip":"Ensure you have Python 3.8+ installed. Use a virtual environment to avoid dependency conflicts."},{"step":"Locate the directory containing the Claude Skill you want to scan. For example, if the Skill is in `~/claude-skills/weather-app`, navigate to that directory in your terminal.","tip":"Use `ls` to verify the Skill's directory structure (e.g., `skills.json`, `README.md`, and Python/JavaScript files)."},{"step":"Run the security scan by executing `skill-security-scan .` in the Skill's root directory. Replace `.` with the path if scanning a different directory.","tip":"For verbose output, add the `--verbose` flag: `skill-security-scan ./my-skill --verbose`."},{"step":"Review the generated report. Address any critical or high-severity issues before installing the Skill. For example, update dependencies or refactor code to remove unsafe functions like `eval()`.","tip":"Use the `--output` flag to save the report to a file: `skill-security-scan . --output security_report.txt`."},{"step":"Re-run the scan after making fixes to confirm the issues are resolved. Repeat until the report shows no critical risks.","tip":"Integrate `skill-security-scan` into your CI/CD pipeline to automate security checks for all Skills before deployment."}]
Tags
Setup & Installation
Quick Install
No install command available. Check the GitHub repository for manual installation instructions.
Alternative Install (Git Clone)
git clone https://github.com/huifer/skill-security-scanRequirements
- Claude Code or compatible AI agent
- Works with: Claude
Quick Start Guide
1
Install the Skill
Copy the install command above and run it in your terminal.
2
Open Your AI Agent
Launch Claude Code, Cursor, or your preferred AI coding agent.
3
Try It Out
Use the prompt template or examples below to test the skill.
4
Customize
Adapt the skill to your specific use case and workflow.
Usage Examples
Prompt Template
Run `skill-security-scan` on the [SKILL_DIRECTORY_PATH] to perform a security review of the Claude Skill. Focus on detecting potential risks such as [RISK_TYPES: e.g., data exfiltration, privilege escalation, malicious dependencies]. Generate a report highlighting any critical issues and suggest remediation steps. If no issues are found, confirm the Skill's security posture.
Example Output
``` === Security Scan Report for Skill: 'finance-assistant' === Scan completed on: 2024-05-20 Risk Level: HIGH (1 critical issue detected) CRITICAL ISSUES: 1. **Data Exfiltration Risk** - File: `./skills/finance-assistant/utils/data_handler.py` - Issue: Unsanitized user input passed directly to `eval()` function in `process_financial_query()` method. - Impact: Potential arbitrary code execution and sensitive data exposure. - Severity: Critical - Remediation: Replace `eval()` with a safe parser (e.g., `ast.literal_eval()`) or use a dedicated financial calculation library. WARNINGS: 1. **Dependency Risk** - Package: `requests==2.25.1` - Issue: Outdated version with known vulnerabilities (CVE-2023-32681). - Remediation: Update to `requests>=2.31.0`. RECOMMENDATIONS: - Review all external API calls for hardcoded credentials. - Implement input validation for all user-provided data. - Add unit tests to verify security fixes. Scan Summary: - Files Scanned: 47 - Issues Found: 2 (1 Critical, 1 Warning) - Security Score: 65/100 (Requires attention) ``` The scan identified a critical vulnerability in the `finance-assistant` Skill that could allow attackers to execute arbitrary code if malicious input is provided. The outdated `requests` library also poses a moderate risk. Addressing these issues is strongly recommended before deploying this Skill in production environments.
Apply to these tools
Browse all toolsClaude
AI assistant built for thoughtful, nuanced conversation
IronCalc
IronCalc is a spreadsheet engine and ecosystem
Vivantio
ITIL-aligned IT service management platform
Supahub
Customer feedback management made simple
ServiceNow
Enterprise workflow automation and service management platform
GPT for work
Automate your spreadsheet tasks with AI power
Compatible MCP servers
Browse all MCP servers
Find the right skills for your stack
Take a free 3-minute scan and get personalized AI skill recommendations.
Take free scan