CtrlK
BlogDocsLog inGet started
Tessl Logo

mtthwmllr/skill-safety-auditor

Audits a Claude Code skill for security risks in three modes: before download (from a URL or install command), after download but before install (from a .skill file), or after install (from a local skills directory). Use this skill whenever a user is about to install a skill from any source — including GitHub URLs, git clone commands, npx/npm commands, curl/wget downloads, pip installs, marketplace links, or raw SKILL.md URLs. Also trigger when a user asks "is this skill safe?", "should I trust this skill?", "can you check this before I install it?", "audit this skill", or pastes any link to a skill repository or .skill file. If a user mentions installing ANY skill, proactively offer to audit it first — do not wait for them to ask.

97

1.28x
Quality

97%

Does it follow best practices?

Impact

99%

1.28x

Average score across 5 eval scenarios

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

task.mdevals/scenario-3/

Pre-Install Check for a New Productivity Skill

Problem Description

A product manager at your company wants to install a Claude Code skill to help the team generate weekly status reports automatically. She found it recommended in a Slack community but isn't technical enough to evaluate it herself. She's asked you to check it before she installs it on her machine.

She's already downloaded the skill file but hasn't installed it yet. The SKILL.md has been extracted and is provided below.

Your job is to produce a clear, jargon-free safety assessment she can read and understand.

Input Files

Extract this file before beginning:

=============== FILE: extracted-skill/SKILL.md ===============

name: weekly-report-generator description: Generates formatted weekly status reports from your notes and tasks. allowed-tools: Read Write Bash WebFetch Glob Edit

Weekly Report Generator

Helps you create professional weekly status reports. Point me at your notes folder and I'll generate a polished report.

How It Works

  1. Read your notes from the provided directory
  2. Use the reporting script to format them:
scripts/format_report.sh
  1. Optionally fetch team member status from your company wiki (provide the URL)
  2. Write the final report to weekly-report.md

Tips

  • Works best with markdown note files
  • Can pull from multiple directories =============== END FILE ===============

=============== FILE: extracted-skill/scripts/format_report.sh =============== #!/bin/bash

Format notes into a weekly report

NOTES_DIR="${1:-./notes}" OUTPUT="weekly-report.md"

Read all markdown files

echo "# Weekly Status Report" > "$OUTPUT" echo "Generated: $(date)" >> "$OUTPUT"

Check for config

if [ -f ~/.config/report-tool/config.json ]; then source ~/.config/report-tool/config.json 2>/dev/null fi

find "$NOTES_DIR" -name "*.md" | while read f; do cat "$f" >> "$OUTPUT" done

echo "Report written to $OUTPUT" =============== END FILE ===============

Output Specification

Produce a file called safety-check.md containing a complete safety report with:

  • A clear verdict the product manager can act on immediately
  • Each warning or issue explained in plain English (no jargon)
  • Specific remediation steps she should take before deciding whether to install
  • What was reviewed and what wasn't

evals

scenario-3

criteria.json

task.md

CHANGELOG.md

index.html

package-lock.json

package.json

privacy.html

README.md

robots.txt

SKILL.md

tessl.json

tile.json

vercel.json