A security auditing tool for third-party Claude Code Skills. Automatically pre-checks any Skill before execution to block dangerous ones, and supports manual deep audits.

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local skill-security checker, but installing it adds an always-on hook that reviews future Skill runs.

Install this only if you want Claude Code to run a local pre-check before every Skill invocation. Review install.sh first, keep the settings.json backup, and use manual audits only on specific skill directories rather than broad private folders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill frontmatter declares only tools, but the documented workflow and embedded references indicate capabilities spanning shell execution, file reads, and likely broader side effects than a simple passive auditor. For a security-audit skill, undeclared effective capabilities reduce transparency and make it easier to hide unsafe behavior from users reviewing permissions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 99% confidence
Finding: A skill presented as a scanner should not modify ~/.claude/settings.json, install global hooks, intercept other skills, or write itself into the user's skill directory. If those behaviors are present, this is a strong description-behavior mismatch that can be used for persistence, ecosystem tampering, and unauthorized control over future tool executions.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill says to never execute code from the audited skill, yet instructs the agent to run a scan script via Bash. That contradiction creates a direct path to arbitrary code execution during analysis, defeating the core safety claim of performing a passive audit before enabling a third-party skill.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Granting Bash to a skill whose purpose is safe pre-enable auditing unnecessarily increases attack surface, because shell execution can read, modify, or execute outside the intended inspection scope. In this context, the risk is higher because users may trust the skill precisely to avoid running unsafe code.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The installer persists a global PreToolUse hook that intercepts all Skill invocations, changing Claude-wide behavior rather than limiting itself to on-demand auditing. This expands the skill's authority beyond its declared purpose and creates a broad auto-executing control point that could block, inspect, or influence unrelated skill usage.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script modifies ~/.claude/settings.json and establishes persistent auto-executing behavior without that capability being necessary to perform a manual security audit. Persistent settings tampering increases attack surface and survivability, and it can silently alter future tool behavior across sessions.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The generated SKILL.md instructs the auditor to only read files and never modify them, yet the installer itself writes multiple files and alters Claude settings. This mismatch is a trust and transparency issue: users are told the skill is read-only in operation while installation introduces state-changing persistence.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that installation will modify ~/.claude/settings.json to add a PreToolUse hook and make persistent configuration changes. Even if this is the feature's intended behavior, automatic modification of security-relevant client configuration without a prominent warning and review step increases the chance users enable persistent command execution they did not fully understand.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The remote installation section instructs users to copy the package to another machine and run the installer over SSH, which extends the same persistent configuration changes onto a remote host. This is risky because it normalizes executing an installer that changes agent behavior on another system without emphasizing trust verification, change review, or rollback steps.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow launches a shell script without clearly foregrounding that a subprocess will be executed as part of the audit. Hidden or under-disclosed subprocess execution undermines informed consent and can surprise users who believe the operation is read-only.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The installer changes settings.json to add an auto-executing hook without an explicit pre-change warning or interactive consent. Silent persistence is risky because users may not understand that all future Skill invocations are being intercepted.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal