← Back to Skills Marketplace
antaisecuritylab

Skill Review

by Ant AI Security Lab · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
92
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ant-skill-review
Description
Security scanner for Claude Code Skill packages. Use when the user wants to audit, review, or check the safety of a Skill before installing — e.g. "is this s...
README (SKILL.md)

skill-review

A multi-agent security scanner CLI for Claude Code Skill packages. It combines deterministic static pre-scanning with LLM-driven deep analysis to surface security risks across 7 layers before you install a Skill.

When to use

  • Auditing a third-party Skill before installation
  • Checking a skill directory for prompt injection, credential theft, data exfiltration, or hidden backdoors
  • Evaluating supply chain risk of a Skill's npm/PyPI dependencies
  • CI/CD integration to block high-risk Skills automatically

How it works

The scanner runs in two phases:

  1. Pre-scan (deterministic, no LLM) — walks all files and flags: symlinks, suspicious filenames (Unicode confusables, shell metacharacters), large files, binary executables, invisible characters, ANSI escape sequences, JS obfuscation patterns, and hardcoded URLs.

  2. LLM Analysis — an Explore Agent reads each file and performs 7-layer analysis:

    • Layer 1: Prompt Injection (direct injection, jailbreak, remote prompt loading)
    • Layer 2: Malicious Behavior (credential theft, data exfiltration, sandbox escape)
    • Layer 3: Dynamic Code Loading (remote execution via fetch+eval, curl|sh, etc.)
    • Layer 4: Obfuscation & Binary (obfuscated scripts, compiled binaries)
    • Layer 5: Dependencies & Supply Chain (npm/PyPI/CLI tool inventory, typosquat detection)
    • Layer 6: System Modification (global installs, profile changes, cron jobs)
    • Layer 7: Code Quality (hardcoded secrets, insecure configs, vulnerable code patterns)

    An optional Deep Analysis Agent then verifies URLs, checks dependency metadata on registries, and inspects binaries.

  3. Deterministic Scoring — each finding is scored based on its type and severity. The overall risk level (safe/low/medium/high/critical) and recommendation (install/caution/do_not_install) are computed deterministically, not by the LLM.

Installation

cd \x3Cskill-review-dir>
npm install

Configuration

Create .env and fill in your LLM provider details:

Variable Description Default
OPENAI_API_BASE LLM API base URL (OpenAI-compatible) required
OPENAI_API_KEY API key required
OPENAI_API_MODEL Model name gpt-4o
NPM_REGISTRY_URL npm registry for dependency checks https://registry.npmjs.org
PYPI_INDEX_URL PyPI index for dependency checks https://pypi.org

Alternatively, pass a JSON config file via --config.

Usage

# Standard scan (pre-scan + LLM explore)
node index.mjs \x3Cskill-dir>

# Pre-scan only (no LLM, fast)
node index.mjs --pre \x3Cskill-dir>

# Deep analysis (pre-scan + explore + deep verification of URLs/deps/binaries)
node index.mjs --deep \x3Cskill-dir>

# JSON output, save to file
node index.mjs --json -o report.json \x3Cskill-dir>

# Chinese language report
node index.mjs --lang zh \x3Cskill-dir>

# Verbose logs to stderr + log file
node index.mjs -v --log scan.log \x3Cskill-dir>

Options

Option Description
\x3Cskill-dir> Path to the skill directory to scan (required, positional)
--config \x3Cfile> Path to JSON config file
--pre Run pre-scan only (no LLM calls)
--deep Enable deep analysis phase
--lang \x3Clang> Report language (default: English)
--json Output raw JSON instead of text report
-o, --output \x3Cfile> Save report to file (default: stdout)
--log \x3Cfile> Save detailed logs to file
-v, --verbose Stream detailed logs to stderr
-h, --help Show help

Output

The text report shows each layer with a risk score (0-10), star rating, and up to 5 findings per layer. The JSON output contains the full structured result with all findings, layer scores, overall risk, and recommendation.

Risk levels: safe (0) / low (1-3) / medium (4-6) / high (7-8) / critical (9-10)

Recommendations: install (safe/low) / caution (medium) / do_not_install (high/critical)

Usage Guidance
This skill appears to implement the scanner it advertises, but before installing or running it consider the following: - It requires an LLM API base and key (OPENAI_API_BASE and OPENAI_API_KEY). Running a scan will send scanned files and findings to that remote model — do not use your primary/high-privilege API key if you are scanning untrusted code containing secrets. - Use the `--pre` (pre-scan only) mode to run deterministic local checks without sending file contents to the LLM. - The repository's package.json does not list a package referenced in the code (@sinclair/typebox). Expect npm install to fail unless that dependency is added; inspect package.json and add any missing deps before running. - The scanner creates agents that can execute shell tools against the skill directory. That is necessary for content extraction, but it means a malicious skill might try to trick the agent into running harmful commands. Prefer running scans in an isolated environment (e.g., container or VM) and avoid `--deep` unless you trust the environment and know what tools the deep agent will execute. - Review src/tools.mjs (especially the bash tool implementation) to understand exactly which commands the agent can run in the scanned directory and whether it will execute any package lifecycle scripts automatically. If you only need a quick safety check without remote model exposure, run `node index.mjs --pre <skill-dir>` to use the deterministic pre-scan. If you plan to run LLM-driven analysis, use a dedicated/limited LLM API key or an internally-hosted model and run the scanner in an isolated sandbox.
Capability Assessment
Purpose & Capability
The name/description (a security scanner for Skill packages) align with the code: it performs a deterministic pre-scan and then uses LLM-driven agents and registry lookups to do deeper analysis. Required environment variables (OPENAI_API_BASE/OPENAI_API_KEY) are appropriate for an LLM-powered scanner. However, the source imports @sinclair/typebox in src/tools.mjs but package.json does not declare that dependency — npm install may fail or behave unexpectedly unless that dependency is added. Overall capability is proportional to purpose, with a packaging inconsistency to fix.
Instruction Scope
The runtime instructs Agents to run a bash tool in the skill root and to use commands like `cat -n` to read files; those tool outputs are then included in prompts to remote LLMs. That means the full scanned skill source (including any hidden keys or secrets in files) will be transmitted to the configured LLM provider during LLM Analysis / Deep Analysis. The SKILL.md and embedded prompts also contain explicit system-prompt content (detected as a system-prompt-override pattern) — this is expected for an LLM-driven scanner but increases the attack surface if you scan untrusted content because a malicious skill could try to trick the explorer agent into executing commands. The code does include many pre-scan checks (ANSI escapes, invisible chars, prompt injection heuristics), but you should assume deep scans will send code to an external model and that the agent can execute shell tools in the target directory.
Install Mechanism
There is no special network download/install step in the skill bundle beyond normal npm install of the package. package.json lists only `@mariozechner/pi-agent-core` and `dotenv`, which is consistent with Node usage, but code imports additional packages (e.g., `@sinclair/typebox`) that are not declared — this is an inconsistency and will result in runtime errors or require you to add dependencies manually. No remote arbitrary archive downloads are present in the provided files.
Credentials
The skill requires an LLM API base and API key (OPENAI_API_BASE and OPENAI_API_KEY) to operate — that is proportionate to an LLM-based scanner. However, giving those credentials means the scanner will use your LLM account to process scanned code and metadata. Any code content read and passed to the agents (including file contents, extracted strings, and URLs) will be sent to the configured model provider, which may be sensitive. The skill does not request unrelated credentials or system-level secrets, but the fact that it exfiltrates scanned content to a third-party LLM is the main privacy/security consideration.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-level privileges. It runs ephemeral Agent instances that use the provided API key. disable-model-invocation remains false (normal), meaning the skill can run its own agents while invoked; combined with the LLM key this enables network calls but this is expected behaviour for the scanner. The skill does not modify other skills or global agent config in the inspected code.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ant-skill-review
  3. After installation, invoke the skill by name or use /ant-skill-review
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Initial release of skill-review: a multi-agent security scanner CLI for Claude Code Skill packages. - Runs a two-phase scan: deterministic static pre-scan and LLM-driven 7-layer deep analysis. - Detects risks including prompt injections, credential theft, dynamic code loading, obfuscated scripts, vulnerable dependencies, system modifications, and insecure code patterns. - Outputs deterministic risk scoring and actionable install recommendations. - Supports JSON and multilingual reports, configurable via environment or JSON file.
Metadata
Slug ant-skill-review
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Skill Review?

Security scanner for Claude Code Skill packages. Use when the user wants to audit, review, or check the safety of a Skill before installing — e.g. "is this s... It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.

How do I install Skill Review?

Run "/install ant-skill-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Review free?

Yes, Skill Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Skill Review support?

Skill Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Review?

It is built and maintained by Ant AI Security Lab (@antaisecuritylab); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments