ClawHub

SkillLens Audit

v1.0.0

Audit locally installed agent skills for security/policy issues using the SkillLens CLI (`skilllens scan`, `skilllens config`). Use when asked to scan a skills directory (Codex/Claude) and produce a risk-focused audit report based on each skill's `SKILL.md` and bundled resources.

4· 3.2k·27 current·29 all-time
by@morozred
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: SKILL.md tells the agent to run the SkillLens CLI to scan local skill directories. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
Instructions stay within the audit purpose: scan a concrete directory, inspect SKILL.md and assets, and avoid executing bundled scripts. One operational note: the SKILL.md tells users/agents to run 'npx skilllens scan' or 'pnpm add -g skilllens' — that invokes a third-party CLI (downloads and runs code from the npm registry), which is expected for this workflow but expands the runtime surface.
Install Mechanism
There is no install spec in the skill bundle itself, but the runtime instructions recommend using npx/pnpm to fetch the SkillLens CLI. Fetching code from npm is a common pattern (moderate risk compared with direct downloads from unknown URLs); users should verify package provenance/version before running or performing a global install.
Credentials
The skill requests no environment variables, credentials, or config paths. The audit workflow reads local skill files (SKILL.md and assets) which is appropriate for its stated purpose.
Persistence & Privilege
The skill does not request persistent inclusion (always:false) or system-wide changes. The instructions recommend inspecting before executing and do not direct modifications of other skills or system-wide settings.
Assessment
This instruction-only skill is coherent, but follow safe practices before running the recommended CLI: 1) Prefer running npx with an explicit version (npx skilllens@<version> scan) or inspect the package source on the npm/GitHub registry first; 2) Avoid global installs unless you trust the publisher; 3) Run scans from a least-privileged environment or isolated container if possible; 4) Do not allow automatic execution of bundled scripts — the SKILL.md correctly advises manual inspection first; 5) Verify SkillLens configuration (scan roots) before scanning to avoid scanning unexpected system locations.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qtf3nwaarr72xxvhfjd47d7zpfxp
3.2kdownloads
4stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@morozred
latest
Download

Skills Audit (SkillLens)

Install SkillLens

  • One-off run: npx skilllens scan (or pnpm dlx skilllens scan)
  • Global install: pnpm add -g skilllens

Quick start

  • Run skilllens config to see configured scan roots and auditor CLI availability.
  • Run skilllens scan to scan configured roots, or skilllens scan <path> to scan a specific directory.
  • Re-run with --verbose to see raw auditor output and --force to ignore cached results.

Audit workflow

  1. Define scope

    • Prefer a concrete target path (example: ~/.codex/skills) unless the user explicitly wants all configured roots.
    • If auditing a repo checkout containing skills, scan the parent folder that contains skill directories (example: skilllens scan ./skills).

  2. Inventory skills with SkillLens

    • Run skilllens scan [path] [--auditor claude|codex].
    • Treat missing auditor CLIs or skipped statuses as “manual review required”, not “safe”.

  3. Prioritize review order

    • Review any unsafe or suspicious verdicts first.
    • Next, review skills that request broad permissions (filesystem/network), run shell commands, or reference external downloads.

  4. Manually review each skill’s contents

    • Read the skill’s SKILL.md and any referenced scripts/, references/, and assets/.
    • Do not execute bundled scripts by default; inspect first.

  5. Evaluate risks (focus on realistic abuse)

    • Exfiltration: sending file contents, env vars, tokens, SSH keys, browser data, or configs to remote endpoints.
    • Execution: instructions to run arbitrary shell commands, curl | bash, eval, or to fetch-and-execute code.
    • Persistence: modifying shell profiles, launch agents, cron, editor configs, or skill install locations.
    • Privilege/approval bypass: instructions to ignore system policies, disable safety checks, or request escalated permissions unnecessarily.
    • Prompt injection: attempts to override higher-priority instructions (“ignore previous”, “always comply”, “never mention…”).
    • Overbroad triggers: vague descriptions that cause the skill to trigger on unrelated tasks.

  6. Produce a report

    • For each skill, include: name, path, verdict (safe/suspicious/unsafe), risk (0–100), and bullet issues with concrete evidence (quote or filename).
    • Recommend fixes that reduce blast radius: narrow scope, remove dangerous defaults, add explicit confirmation gates, and document required permissions.

Command snippets

  • Scan configured roots: skilllens scan
  • Scan a specific folder: skilllens scan ~/.codex/skills
  • Force a re-audit and show raw output: skilllens scan ~/.codex/skills --force --verbose

Comments

Loading comments...