A comprehensive security audit tool for Claude Code community skills. Combines a multi-agent skill mode (no installation required) with a standalone CLI tool (skill-scanner) to detect malicious patterns, supply-chain risks, and runtime threats in .md skill files.
Note: This is a personal project and may produce false positives or miss certain threats. It is provided as-is without warranty. Use it as one layer of your security review process, not as a sole source of truth.
注意: 本ツールは個人開発のプロジェクトです。誤検知(false positive)や検出漏れ(false negative)が 発生する可能性があります。セキュリティレビューの一助としてご利用ください。 本ツールの結果のみに依拠した判断は推奨しません。
- 26 detection categories — prompt injection, data exfiltration, credential access, reverse shell, privilege escalation, tool override, memory injection, agent self-replication, MCP elicitation abuse, and more
- 3 parallel scanning agents — Pattern Scanner, Red Team Analyst, and Deep Analyzer run concurrently for faster, more thorough coverage
- Plugin manifest inspection —
.claude-plugin/plugin.jsonscanning for name impersonation, excessive permissions, undeclared hooks - allowed-tools audit — flags skills with unrestricted tool access (missing
allowed-toolsfrontmatter) - Runtime defense hooks — MCP response inspector (with elicitation abuse detection), Bash command validator, and ghost file detector
- 7 Semgrep custom rules — SSRF, SQL injection, weak crypto, insecure deserialization, Angular DOM XSS, path traversal, IDOR
- AWS IAM policy templates — least-privilege templates for read-only and dev/deploy Claude Code environments
- CLI tool (
skill-scanner) — YAML/YARA rule engine, AST-level analysis, optional LLM and VirusTotal integration
npx claude-code-skill-security-checkInstalls SKILL.md, hooks, semgrep rules, IAM templates, and updater into your Claude Code environment.
/skill-security-check
Runs directly inside Claude Code. Three agents scan your skills directory in parallel and produce a structured threat report.
pip install skill-scanner
skill-scanner scan-all ~/.claude/skills/ --format markdown -o report.mdCheck for new versions of Skill Security Check:
# Manual check (uses 24-hour cache)
bash updater/check-update.sh
# Force immediate check
bash updater/check-update.sh --forceYou can also enable automatic checks at Claude Code session start via a SessionStart hook. See updater/README.md for installation instructions.
├── SKILL.md # Skill definition (detection patterns & agent workflow)
├── CHANGELOG.md # Version history
├── hooks/
│ ├── README.md # Hook installation & configuration guide
│ ├── mcp-response-inspector.mjs # Runtime MCP response inspection
│ ├── validate-bash.sh # Dangerous command prevention
│ └── ghost-file-detector.sh # AI ghost file detection
├── semgrep-rules/
│ ├── angular-dom-xss.yml # Angular bypassSecurityTrust* detection
│ ├── idor-auth-check.yml # IDOR preliminary detection
│ ├── insecure-deserialization.yml # pickle, yaml.load, Marshal, unserialize
│ ├── path-traversal.yml # Zip Slip / path traversal patterns
│ ├── sql-injection.yml # ORM bypass (Django, SQLAlchemy, Sequelize, Prisma)
│ ├── ssrf.yml # Server-Side Request Forgery
│ └── weak-crypto.yml # MD5, SHA1, DES, Math.random() for security
├── updater/
│ ├── README.md # Update checker setup guide
│ └── check-update.sh # Version check script (manual or SessionStart hook)
└── iam-policy-template/
├── README.md # IAM policy usage guide
├── claude-code-readonly.json # Read-only AWS policy
└── claude-code-dev-deploy.json # Dev/deploy AWS policy
| # | Category | Severity |
|---|---|---|
| 1 | Prompt Injection | CRITICAL |
| 2 | Data Exfiltration | HIGH |
| 3 | Dangerous Commands | HIGH |
| 4 | Steganography | HIGH |
| 5 | Social Engineering | HIGH |
| 6 | Permission Bypass | HIGH |
| 7 | HTTP Exfiltration Bypass | HIGH |
| 8 | Credential Access | HIGH |
| 9 | Reverse Shell | HIGH |
| 10 | Backdoor Persistence | HIGH |
| 11 | Privilege Escalation | HIGH |
| 12 | API Hijacking | MEDIUM-HIGH |
| 13 | Namespace Squatting | MEDIUM-HIGH |
| 14 | Unicode Homoglyph | MEDIUM-HIGH |
| 15 | Context Window Poisoning | MEDIUM-HIGH |
| 16 | XOR Obfuscation | MEDIUM |
| 17 | Agent Infection | HIGH |
| 18 | Silent Exfiltration | HIGH |
| 19 | MCP Redefinition | MEDIUM-HIGH |
| 20 | API Budget Drain | MEDIUM |
| 21 | Auto Mode Abuse | MEDIUM-HIGH |
| 22 | Multi-turn Grooming | HIGH |
| 23 | Tool Override / Shadow | HIGH |
| 24 | Whiteboard / Memory Injection | HIGH |
| 25 | Agent Spawn & Self-Replication | CRITICAL |
| 26 | MCP Elicitation Abuse | MEDIUM-HIGH |
Three hooks integrate with Claude Code's hook system to block threats at runtime. See hooks/README.md for installation and configuration.
| Hook | Description |
|---|---|
mcp-response-inspector.mjs |
Inspects MCP tool responses for embedded prompt injection, exfiltration payloads, and elicitation abuse before they reach the agent |
validate-bash.sh |
Intercepts Bash commands and blocks patterns matching curl | bash, rm -rf /, bypassPermissions, and other Tier 1 dangerous operations |
ghost-file-detector.sh |
Detects AI-generated "ghost files" — similarly-named copies (e.g., utils2.py) created instead of editing the original, a common AI coding anti-pattern |
This skill was built on lessons learned from auditing 575+ community skills. We are grateful to the following projects and their authors whose work informed our detection patterns:
-
zebbern/claude-code-guide — 23 penetration testing and security skills that directly informed our detection categories for credential access, reverse shells, privilege escalation chains, and backdoor persistence. These skills are educational tools for authorized security testing, and their explicit documentation of attack techniques helped us understand what patterns to detect. Thank you for the rapid response to our risk classification request (Issue #11).
-
raintree-claude-tools (formerly
anthropic/) — claude-hook-builder and claude-settings-expert. The settings-expert skill's explicit "bypassPermissions is dangerous" documentation is a model for responsible skill design. The namespace discussion (Issue #492 on anthropics/skills) helped us refine trust boundary abuse detection. -
trailofbits/claude-code-devcontainer — The devcontainer security discussion (Issue #28) about bypassPermissions auto-configuration outside containers was the catalyst for our Permission Bypass detection category.
-
anthropics/skills — The official Claude Code skills registry. Our namespace protection discussion (Issue #492) helped shape the Trust Boundary Abuse detection vector.
-
carlospolop/PEASS-ng (LinPEAS/WinPEAS) — Referenced in multiple security skills. The
curl | shpattern for linpeas.sh was a key example that informed our piped script execution detection. -
GTFOBins — The definitive reference for Unix binary exploitation techniques. Our privilege escalation via system utilities detection (Category 11) is directly informed by GTFOBins patterns.
-
LOLBAS Project — Living Off The Land Binaries and Scripts for Windows. Complements GTFOBins for Windows-side detection patterns.
-
Zenn article: Claude Code/MCP Security Guide by DPL — Practical security hardening guide that informed our HTTP exfiltration bypass detection and settings.json audit patterns.
-
MITRE ATT&CK Framework — Tactics, Techniques, and Procedures (TTPs) referenced in our Red Team analysis vectors, especially T1098 (Account Manipulation), T1059 (Command & Scripting Interpreter), and T1071 (Application Layer Protocol).
-
OWASP — Prompt injection and indirect prompt injection categories draw from OWASP's LLM Top 10 (2025).
Thank you to all community skill authors — including the many whose work we scanned without incident. The Claude Code skill ecosystem grows stronger when we look out for each other. If this tool flags your skill, it is not an accusation; it is an invitation to make the ecosystem safer together.
Issues and pull requests are welcome.
- Open an issue
- Fork the repo, make your changes, and submit a PR
MIT — see LICENSE