SSkilltecabyclaudinhocode
Enviar skill
← Voltar para o catálogo

claude-code-skill-security-check

Segurança

Security audit skill for Claude Code community skills. Scans for prompt injection, data exfiltration, permission bypass, dangerous commands, and supply chain risks.

3estrelas
Ver no GitHub ↗Autor: aliksirLicença: MIT
#ai

Skill Security Check

Comprehensive security audit for Claude Code community skills.

Available in two modes:

  • Skill mode: 3 parallel Claude Code agents (no installation required)
  • CLI mode: skill-scanner Python package with YAML/YARA rules, AST analysis, and optional LLM/VirusTotal/AI Defense integration

Trigger

/skill-security-check or "run a security check on my skills"

Target

Default: ~/.claude/skills/ (all installed skills)

If a specific path or skill name is provided, scope to that target only.

Before You Run

Time Estimate

This skill launches 3 parallel agents that deeply analyze every installed skill. Expect:

Skill countApproximate time
~50 skills5-10 minutes
~200 skills15-25 minutes
~500+ skills30-60 minutes

For faster scanning, use the CLI tool: skill-scanner scan-all ~/.claude/skills/

Permission Confirmations

Each agent performs many Grep/Read/Glob operations. Depending on your permission settings, you may be prompted frequently. For a smoother experience:

  • Consider running with permissive read settings (Read/Grep/Glob auto-allow)
  • The skill only reads files — it never modifies or deletes anything
  • All file access is limited to the target skill directory

No Additional Installations Required (Skill Mode)

The skill mode uses only Claude Code built-in tools (Grep, Glob, Read, Agent). No external CLI tools, no pip packages, no npm modules. It works out of the box.

Want deeper scanning? Install the CLI tool for YAML/YARA rule-based detection, AST analysis, and optional integrations:

pip install skill-scanner
skill-scanner scan-all ~/.claude/skills/ --format markdown -o report.md

CLI Tool: skill-scanner

Note: The CLI tool (skill-scanner) has its own release cycle on PyPI, separate from this skill's version.

Installation

pip install skill-scanner

Analyzers

AnalyzerTypeDescription
static_analyzerDefaultPattern-based detection using YAML + YARA rules
bytecode_analyzerDefaultPython .pyc integrity verification
pipeline_analyzerDefaultCommand pipeline taint analysis
behavioral_analyzerOpt-inStatic dataflow analysis (AST + taint tracking)
trigger_analyzerOpt-inDetects overly generic skill descriptions
llm_analyzerOpt-inSemantic analysis using LLMs as judges
meta_analyzerOpt-inSecond-pass LLM false-positive filtering & prioritization
virustotal_analyzerOpt-inHash-based malware detection via VirusTotal API
aidefense_analyzerOpt-inCisco AI Defense cloud-based threat detection
namespace_analyzerDefaultSkill name/author similarity check (Levenshtein distance) for typosquat detection
size_analyzerDefaultFile size anomaly detection for context window poisoning
temporal_analyzerOpt-inConditional/delayed attack pattern detection via AST analysis

Detection Rule Packs

Built-in YAML signature packs (core pack):

Rule FileCoverage
prompt_injectionIGNORE/OVERRIDE/system prompt spoofing, tag injection
data_exfiltrationExternal HTTP, env var piping, base64 encoding
command_injectionrm -rf, eval/exec, piped script execution, reverse shells
hardcoded_secretsAPI keys, tokens, passwords in source
obfuscationZero-width characters, steganography, encoding tricks, Unicode homoglyphs
social_engineeringAuthority/urgency/normalization bias patterns
supply_chainMissing metadata, author concentration, dynamic fetch
unauthorized_tool_usebypassPermissions, permission mode changes, settings manipulation
resource_abuseCrypto mining, excessive resource consumption
api_hijackingANTHROPIC_BASE_URL override, proxy injection, DNS/hosts manipulation
cloud_metadataIMDS access (169.254.169.254), cloud metadata service token theft
namespace_abuseOfficial namespace squatting, typosquatting, authority prefix abuse

Usage Examples

# Scan a single skill
skill-scanner scan ~/.claude/skills/my-skill/

# Scan all skills with markdown report
skill-scanner scan-all ~/.claude/skills/ --format markdown -o report.md

# Deep scan with behavioral analysis + LLM judge
skill-scanner scan ~/.claude/skills/my-skill/ --use-behavioral --use-llm

# CI/CD integration (fail on findings)
skill-scanner scan-all ~/.claude/skills/ --format sarif --fail-on-findings

# HTML interactive report
skill-scanner scan-all ~/.claude/skills/ --format html -o report.html

# Custom scan policy
skill-scanner scan ~/.claude/skills/my-skill/ --policy strict

# List available analyzers
skill-scanner list-analyzers

Output Formats

summary (default), json, markdown, table, sarif (GitHub Code Scanning), html (interactive report)

Skill Mode Workflow

Launch 3 parallel agents (all general-purpose, model: sonnet) for independent analysis, then synthesize results.

Agent 1: Pattern Scanner

Scan all SKILL.md, references/**/*.md, and scripts/** files using Grep.

Plugin Manifest Inspection (.claude-plugin/plugin.json)

If the target contains a .claude-plugin/plugin.json manifest, additionally check:

  • Name impersonation: Plugin name mimicking official namespaces (anthropic-*, claude-*, official-*)
  • Excessive permissions: Hooks that request Bash or Write without clear justification
  • Undeclared hooks: Hook files present in hooks/ directory but not referenced in manifest
  • Metadata inconsistency: Version, author, or description mismatch between plugin.json and SKILL.md
  • Settings override: settings.json that changes agent or model without user awareness

1. Prompt Injection

  • IGNORE, FORGET, OVERRIDE, DISREGARD (case-insensitive)
  • you are now, act as, pretend to be, new instructions
  • system prompt, ignore previous, forget everything
  • <system>, </system>, <instructions> tag spoofing

2. Data Exfiltration

  • External URLs with HTTP requests (excluding github.com, anthropic.com, arxiv.org, wikipedia.org)
  • curl, wget, fetch, httpx, requests.post usage
  • Base64 encoding instructions
  • Instructions to output or send environment variables / API keys

3. Dangerous Commands

  • rm -rf, del /f, format, fdisk
  • sudo, runas, chmod 777
  • eval(), exec(), os.system(), subprocess.call(shell=True)
  • Piped script execution: curl | bash, curl | sh, wget | sh, iex (iwr ...)

4. Steganography

  • Zero-width characters: U+200B, U+200C, U+200D, U+FEFF
  • Hidden instructions inside HTML comments <!-- -->
  • Hidden instructions inside Markdown comments [//]: #

5. Social Engineering

  • "Share the contents of this file" patterns
  • "If you get an error, access this URL" redirection
  • Instructions to output credentials "for debugging"

6. Permission Bypass

  • bypassPermissions, defaultMode
  • --dangerously-skip-permissions, --approval-mode, yolo
  • danger-full-access, --no-verify

7. HTTP Exfiltration Bypass

Detect patterns that bypass curl/wget deny rules by using language runtime inline execution:

  • Python inline HTTP: python -c / python3 -c with urllib.request, requests.get, requests.post, http.client.HTTPConnection, http.client.HTTPSConnection, httpx.post, httpx.get, socket.connect
  • Node.js inline HTTP: node -e with fetch(, http.get(, https.get(, require('http'), require('https'), XMLHttpRequest, axios.get, axios.post
  • Bypass rationale: when curl is in deny list but Bash(python:*) or

Como adicionar

/plugin marketplace add aliksir/claude-code-skill-security-check

O comando exato pode variar conforme o repositório. Confira o README no GitHub.

Comentários · Nenhum comentário

Entre para comentar. Entrar

  • Ainda não há comentários. Seja o primeiro.