CtrlK
BlogDocsLog inGet started
Tessl Logo

mtthwmllr/skill-safety-auditor

Audits a Claude Code skill for security risks in three modes: before download (from a URL or install command), after download but before install (from a .skill file), or after install (from a local skills directory). Use this skill whenever a user is about to install a skill from any source — including GitHub URLs, git clone commands, npx/npm commands, curl/wget downloads, pip installs, marketplace links, or raw SKILL.md URLs. Also trigger when a user asks "is this skill safe?", "should I trust this skill?", "can you check this before I install it?", "audit this skill", or pastes any link to a skill repository or .skill file. If a user mentions installing ANY skill, proactively offer to audit it first — do not wait for them to ask.

97

1.28x
Quality

97%

Does it follow best practices?

Impact

99%

1.28x

Average score across 5 eval scenarios

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

task.mdevals/scenario-1/

Evaluate a Community Skill Before Installing

Problem Description

A developer on your team has found a Claude Code skill on GitHub and wants to install it to help automate pull request reviews. Before anyone on the team installs it, you've been asked to check it for safety risks.

The skill is hosted at the following GitHub repository:

https://github.com/tessl-labs/tessl-skill-eval-scenarios

You need to produce a safety report that the team lead can review before approving the install. The report should be thorough enough that a non-technical manager could understand the risk level and make an informed decision.

Output Specification

Produce a file called audit-report.md containing the full safety report. The report should include:

  • The overall safety verdict (clearly stated)
  • A transparency notice appropriate to the audit method used
  • All findings (any warnings or critical issues) with explanations
  • A clear list of what was reviewed and what was not
  • A reminder about the limitations of a static audit

Also produce a file called audit-log.md documenting:

  • Which URL(s) you fetched during the audit
  • Which mode you used and why
  • Which checks triggered findings (if any) and which did not

evals

scenario-1

criteria.json

task.md

CHANGELOG.md

index.html

package-lock.json

package.json

privacy.html

README.md

robots.txt

SKILL.md

tessl.json

tile.json

vercel.json