tessl-labs/skills-security-audit
Audit installed tessl skills for security risks and generate a formatted security report with per-skill risk levels and an overall project risk score
94
Quality
94%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
SKILL.mdskills/skills-security-audit/
- name:
- skills-security-audit
- description:
- Audit the security of installed tessl skills using Snyk security scores from the Tessl Registry. Use this skill whenever the user asks to audit their skills, check skill security, get a security review of their tessl skills, find out how safe their installed skills are, wants a tessl security report, or asks about prompt injection risks in their agent setup. Reads tessl.json, fetches each skill's Snyk security score and findings from the registry, and presents a formatted security report with per-skill risk verdicts, finding categories, and an overall project risk profile with recommendations.
Skill Security Audit
You're running a security audit of the tessl skills installed in this project, using Snyk security scores from the Tessl Registry. Your job is to surface real, registry-verified security findings so the user can make an informed decision about each skill they have installed.
Background: how skill security works in the Tessl Registry
Every skill in the Tessl Registry carries a Snyk security score, powered by Snyk's scanning engine (built on research from Invariant Labs). The scanner is purpose-built for agent skills — it analyzes the behavioral intent behind skill instructions, not just code. This is important because skills are written in natural language, and malicious intent can be embedded in plain English instructions just as easily as in code.
Snyk's ToxicSkills research scanned nearly 4,000 public skills and found that 36% contained prompt injection techniques — instructions designed to hijack agent behavior. The range of risks is broad, from prompt injection to data exfiltration to social engineering.
The scan covers eight categories:
- Prompt injection — instructions designed to hijack agent behavior, including obfuscated or base64-encoded variants
- Malware payloads — skill instructions that cause the agent to download or execute malicious content
- Credential mishandling — instructions that direct the agent to access, log, or transmit credentials insecurely
- Toxic flow patterns — sequences that, in combination, create dangerous behavior even if each step looks benign
- Suspicious external downloads — instructions to fetch content from untrusted or unexpected sources
- Data exfiltration — patterns that cause the agent to send data to attacker-controlled infrastructure
- Privilege escalation — instructions that attempt to expand permissions beyond what the user intended
- Social engineering — instructions that manipulate the agent to deceive or mislead users
Step 1: Discover installed skills
Read tessl.json from the project root. Parse the dependencies block to identify every package and the skills it includes. Note the version and source URL for each.
If tessl.json is missing or has no dependencies, tell the user there are no installed skills to audit and stop.
Step 2: Fetch security data for each skill
For each dependency in tessl.json, determine its source type, then construct the correct registry URL.
Determining source type
Check the source field in tessl.json for each dependency:
"source": "git"(with a GitHub URL) → GitHub-hosted"source": "registry"→ Tessl-native
You can confirm by running tessl search {tile-name} via the CLI: GitHub-hosted skills appear as from github:{org}/{repo} in results; Tessl-native tiles do not have a github: prefix.
Constructing the URL
Tessl-native tiles use:
https://tessl.io/registry/{workspace}/{tile}/securityExample: tessl-labs/skills-security-audit →
https://tessl.io/registry/tessl-labs/skills-security-audit/securityGitHub-hosted skills use:
https://tessl.io/registry/skills/github/{org}/{repo}/{skill-name}/securityThe {skill-name} comes from the include.skills array in tessl.json, not the repo name. Example: anthropics/skills with skill skill-creator →
https://tessl.io/registry/skills/github/anthropics/skills/skill-creator/securityFetching the page
Fetch each URL with WebFetch. Extract the Snyk score, verdict, and all finding details — category, description, and the specific reason it was flagged.
If you get a 404, the tile is either private or has been removed from the registry — flag it as ❓ Unavailable. Do not guess alternative URL patterns.
Gather data for all skills before writing the report.
Step 3: Write the security report
Use this exact structure:
🔐 Skill Security Audit
[N] skills · [date]
| Skill | Version | Verdict | Findings |
|---|---|---|---|
workspace/skill | v0.0.0 | 🚨 Critical | Brief finding summary |
workspace/skill | v0.0.0 | ⚠️ Advisory | Brief finding summary |
workspace/skill | v0.0.0 | ✅ Clean | — |
workspace/skill | v0.0.0 | ❓ Unavailable | — |
Order rows by concern level: 🚨 Critical first, then ⚠️ Advisory, then ✅ Clean, then ❓ Unavailable.
For any row with findings, add a single line below the table explaining what the skill actually does that triggered the finding in plain English.
Recommendation: One or two sentences maximum. Only include if there's something actionable — if everything is clean, say so in one sentence and stop.
Tone and style
- The table is the report. Don't add prose around it unless a finding needs explanation.
- Explain findings in plain English. "This skill fetches content from external sites, which could be used to inject malicious instructions" beats "W011 third-party content exposure detected."
- If a tile returned 404, say ❓ Unavailable (private or removed). In the recommendation, tell the user to check the registry website for up-to-date info on those tiles.
- Never manufacture concern for clean skills.