CtrlK
BlogDocsLog inGet started
Tessl Logo

mtthwmllr/skill-safety-auditor

Audits a Claude Code skill for security risks in three modes: before download (from a URL or install command), after download but before install (from a .skill file), or after install (from a local skills directory). Use this skill whenever a user is about to install a skill from any source — including GitHub URLs, git clone commands, npx/npm commands, curl/wget downloads, pip installs, marketplace links, or raw SKILL.md URLs. Also trigger when a user asks "is this skill safe?", "should I trust this skill?", "can you check this before I install it?", "audit this skill", or pastes any link to a skill repository or .skill file. If a user mentions installing ANY skill, proactively offer to audit it first — do not wait for them to ask.

97

1.28x
Quality

97%

Does it follow best practices?

Impact

99%

1.28x

Average score across 5 eval scenarios

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

README.mdaudit-sample/

audit-sample

Contains a sample report produced by skill-safety-auditor to demonstrate the format and range of findings the tool can surface.

About the sample

The report in sample-report.md was produced by auditing the purpose-built test skill at test-fixtures/test-skill-with-known-issues/.

Previous version: The original sample was produced against a live public third-party skill (hundred-million-offers from wondelai/skills). That report only produced warnings (no critical findings) and referenced an external source that readers could not easily verify themselves.

Current version: The sample now audits a test fixture that lives in this repository. This means:

  • Anyone can verify the report by running the auditor against the same target
  • No third-party skill or author is implicated
  • The report shows a more complete range of findings (Criticals + Warnings + Passes)
  • The test fixture is stable and won't change unexpectedly

See test-fixtures/README.md for a full description of the fixture and how to use it to verify the auditor's output on your own machine.

audit-sample

README.md

sample-report.md

CHANGELOG.md

index.html

package-lock.json

package.json

privacy.html

README.md

robots.txt

SKILL.md

tessl.json

tile.json

vercel.json