Skip to content

skill-security-auditor

Pack: companion

skill-security-auditor

Purpose

Audit a skill directory for security-only risks before publish, install, or internal approval.

Trigger phrases:

  • audit skill security
  • check skill safety
  • security review
  • is this skill safe

Core workflow

  1. Read SKILL.md and check for prompt injection risks, hidden approval bypasses, and overly broad tool or MCP requests.
  2. Scan scripts/ for dangerous commands, secret access, network calls, remote execution patterns, and unsafe file operations.
  3. Check references/ and verify it does not contain embedded scripts, executable payloads, or copy-paste attack content.
  4. Check MCP and tool configuration language in the skill body and assess permission scope.
  5. Generate a security audit report with a TrustSkills-style risk score from 0.0 to 1.0.

Risk categories

  • CRITICAL: rm -rf, destructive format or dd, secret exfiltration, curl | bash, eval of remote code
  • HIGH: unrestricted file writes, .env or .ssh access, sudo or admin commands, dynamic eval
  • MEDIUM: network access without purpose, broad glob patterns, shell=True
  • LOW: missing --help, missing dry-run, hardcoded paths
  • INFO: style suggestions, documentation gaps

How to run

Run the bundled scanner instead of improvising ad hoc checks:

  • single skill: uv run .opencode/skills/skill-security-auditor/scripts/audit_skill.py --path <skill-dir>
  • batch scan: uv run .opencode/skills/skill-security-auditor/scripts/audit_skill.py --path <skills-root> --recursive
  • machine output: add --json
  • stricter gate: add --fail-threshold 0.3
  • reduced noise: add --severity high

Output

Return a security audit report that includes:

  • overall risk score
  • severity counts
  • findings grouped by severity
  • pass or fail verdict
  • remediation suggestions for every finding

Must do

  • Use audit_skill.py as the primary scanner.
  • Keep the review scoped to security, not formatting or prose quality.
  • Treat all results as static analysis only.
  • Call out prompt injection, secret access, remote execution, and excessive permission scope explicitly.
  • Include the configured fail threshold in the final report.

Must not do

  • Do not execute discovered scripts or commands.
  • Do not treat style-only issues as security failures.
  • Do not approve skills that contain destructive commands without clearly flagging the risk.
  • Do not ignore broad MCP or tool access just because the skill body looks well written.

Reference

  • references/security-checklist.md
  • scripts/audit_skill.py