uinaf/skill-audit
Audit existing skills with Tessl scoring, metadata and trigger-coverage checks, repo conventions, and skill-authoring best practices. Use when creating or revising a skill, triaging weak self-activation, or comparing a skill against source-repo guidance such as `AGENTS.md`, `CLAUDE.md`, or repo rules, plus external skill guidance. Do not use to verify general application code or to rewrite unrelated docs.
97
98%
Does it follow best practices?
Impact
97%
1.05xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Security
1 medium severity finding. This skill can be installed but you should review these findings before use.
W012: Unverifiable external dependency detected (runtime URL that controls agent)
What this means
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Why it was flagged
Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs running the Tessl CLI (e.g., `npx tessl ...`), which will fetch and execute remote code from the Tessl package (see https://tessl.io/ and its CLI docs https://docs.tessl.io/reference/cli-commands), so a runtime external dependency executes remote code.
- Audited
- Security analysis