Refactor high-complexity React components in Dify frontend. Use when `pnpm analyze-component...
skillvet
0
0
# Install this skill:
npx skills add oakencore/skillvet
Or install specific skill: npx add-skill https://github.com/oakencore/skillvet
# Description
Security scanner for ClawdHub/community skills — detects malware, credential theft, exfiltration, prompt injection, and obfuscation before you install. Use when installing skills from ClawdHub or any public marketplace, reviewing third-party agent skills for safety, or vetting untrusted code before giving it to your AI agent. Triggers: install skill, audit skill, check skill, vet skill, skill security, safe install, is this skill safe.
# SKILL.md
name: skillvet
description: Security scanner for ClawdHub/community skills — detects malware, credential theft, exfiltration, prompt injection, and obfuscation before you install. Use when installing skills from ClawdHub or any public marketplace, reviewing third-party agent skills for safety, or vetting untrusted code before giving it to your AI agent. Triggers: install skill, audit skill, check skill, vet skill, skill security, safe install, is this skill safe.
Skill Audit
Security scanner for agent skills. Catches malicious code before it reaches your agent.
Why This Exists
Public skill marketplaces let anyone upload code that your AI agent will read and execute. A malicious skill can steal your API keys, exfiltrate data, inject prompts, or tamper with your agent's config — all while looking like a normal skill.
This scanner catches those attacks automatically.
Quick Start
Safe install (recommended — installs, audits, auto-removes if critical issues found):
bash skills/skill-audit/scripts/safe-install.sh <skill-slug>
Audit an already-installed skill:
bash skills/skill-audit/scripts/skill-audit.sh skills/some-skill
Exit codes: 0 = clean, 1 = warnings only, 2 = critical findings.
What It Detects
🔴 Critical (auto-blocked)
| # | Check | Example |
|---|---|---|
| 1 | Known exfiltration endpoints | webhook.site, ngrok.io, requestbin |
| 2 | Bulk environment variable harvesting | printenv \|, ${!*@} |
| 3 | Foreign credential access | Reading ANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN, etc. from scripts |
| 4 | Code obfuscation | eval(), Buffer.from(base64), hex escapes |
| 5 | Path traversal / sensitive file access | ../../, /etc/passwd, ~/.ssh, ~/.clawdbot |
| 6 | Data exfiltration via curl/wget | curl --data, wget --post with variables |
| 7 | Reverse/bind shells | /dev/tcp/, nc -e, socat |
| 8 | .env file theft | load_dotenv, open(.env) (not in docs) |
| 9 | Prompt injection in markdown | "ignore previous instructions" in SKILL.md |
| 10 | LLM tool exploitation | Instructions to send/email/post secrets |
| 11 | Agent config tampering | Write/modify AGENTS.md, SOUL.md, clawdbot.json |
| 12 | Unicode obfuscation | Zero-width chars, RTL override, homoglyphs |
| 13 | Suspicious setup commands | curl piped to bash disguised as install steps |
| 14 | Social engineering | "download this .exe", external pastes |
| 15 | Shipped .env files | Actual .env files (not .example) in the skill |
🟡 Warning (review recommended)
| # | Check | Why |
|---|---|---|
| 1 | Subprocess execution | child_process, exec(), Popen — not always bad but worth checking |
| 2 | Network requests | axios, fetch, requests — expected in some skills, suspicious in others |
| 3 | Minified/bundled files | Can't audit what you can't read |
| 4 | File write operations | writeFile, open('w') — may be legitimate |
Usage
Always use safe-install.sh for ClawdHub
# Install with automatic audit
bash skills/skill-audit/scripts/safe-install.sh my-skill
# Pass extra args to clawdhub
bash skills/skill-audit/scripts/safe-install.sh my-skill --version 1.2.3
If critical issues are found, the skill is automatically removed and you'll see what was detected. If you've manually reviewed the skill and trust it, install directly with clawdhub install.
Audit existing skills
# Single skill
bash skills/skill-audit/scripts/skill-audit.sh skills/some-skill
# All installed skills
for d in skills/*/; do bash skills/skill-audit/scripts/skill-audit.sh "$d"; echo; done
Limitations
- Static analysis only — catches patterns, not intent. A sufficiently obfuscated attack could bypass regex matching.
- No runtime sandboxing — this scans before install, not during execution.
- English-centric patterns — prompt injection detection is primarily English. Multi-language injection may slip through.
- Minified/bundled JS is flagged but not deobfuscated.
A clean scan doesn't guarantee safety. It raises the bar significantly, but manual review of suspicious skills is still good practice.
Note: The scanner flags itself when audited — its own patterns and docs contain the strings it detects. This is expected and confirms detection works.
# README.md
Skill Audit
Security scanner for AI agent skills. Detects malware, credential theft, data exfiltration, prompt injection, and obfuscation — before the code reaches your agent.
Why
Public skill marketplaces let anyone upload code that your AI agent reads and executes. A malicious skill can steal API keys, exfiltrate data, inject prompts, or tamper with your agent's configuration. This scanner catches those attacks automatically.
Born from a real incident — a malware skill disguised as a legitimate tool on ClawdHub.
What It Catches
15 critical checks (auto-blocked):
- Known exfiltration endpoints (webhook.site, ngrok, requestbin, etc.)
- Bulk environment variable harvesting
- Foreign credential access (reads API keys that aren't the skill's own)
- Code obfuscation (eval, base64 decode, hex escapes)
- Path traversal and sensitive file access (~/.ssh, ~/.clawdbot, /etc/passwd)
- Data exfiltration via curl/wget POST requests
- Reverse and bind shells
- .env file theft (dotenv loading in scripts, not docs)
- Prompt injection in markdown (SKILL.md is an attack vector)
- LLM tool exploitation (instructions to send/email secrets)
- Agent config tampering (writes to AGENTS.md, SOUL.md, etc.)
- Unicode obfuscation (zero-width characters, RTL override)
- Suspicious setup commands (curl piped to bash)
- Social engineering (download external binaries)
- Shipped .env files
5 warning checks (flagged for review):
- Subprocess execution (exec, spawn, Popen)
- Network requests (axios, fetch, requests)
- Minified/bundled files (can't audit what you can't read)
- File write operations
- Unknown external tool requirements
Quick Start
Safe install (recommended)
Installs, audits, and auto-removes the skill if critical issues are found:
bash skills/skill-audit/scripts/safe-install.sh <skill-slug>
Audit an existing skill
bash skills/skill-audit/scripts/skill-audit.sh skills/some-skill
Audit all installed skills
for d in skills/*/; do bash skills/skill-audit/scripts/skill-audit.sh "$d"; echo; done
Exit codes
| Code | Meaning |
|---|---|
| 0 | Clean — no issues found |
| 1 | Warnings only — review recommended |
| 2 | Critical findings — do not use without manual review |
How It Works
Static analysis via pattern matching across all text files in a skill directory (.md, .js, .ts, .py, .sh, .json, .yaml, etc.). No dependencies — just bash and grep.
Smart credential detection: The scanner reads SKILL.md to identify which API keys the skill legitimately needs (its "own" keys), then flags any access to other keys (like your Anthropic or Telegram tokens) as credential theft.
Prompt injection awareness: Since SKILL.md is read directly into the AI agent's context, the scanner checks markdown files for injection attempts — but skips lines that are clearly documenting or warning about attacks.
Limitations
- Static analysis only — catches patterns, not intent
- No runtime sandboxing — scans before install, not during execution
- Primarily English prompt injection patterns
- Minified JS is flagged but not deobfuscated
- A clean scan doesn't guarantee safety — it raises the bar significantly
- Self-detection: The scanner flags itself when audited (its own grep patterns and docs contain the strings it searches for). This is expected — it proves the detection works
Install
clawdhub install skillvet
Licence
MIT
# Related Skills
Trigger when the user requests a review of frontend files (e.g., `.tsx`, `.ts`, `.js`). Support...
Generate Vitest + React Testing Library tests for Dify frontend components, hooks, and...
Guide for implementing oRPC contract-first API patterns in Dify frontend. Triggers when creating...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.