功能描述

Security scanner for Claude Code Skill packages. Use when the user wants to audit, review, or check the safety of a Skill before installing — e.g. "is this s...

使用说明 (SKILL.md)

skill-review

Name: Skill Review
Author: antaisecuritylab

A multi-agent security scanner CLI for Claude Code Skill packages. It combines deterministic static pre-scanning with LLM-driven deep analysis to surface security risks across 7 layers before you install a Skill.

When to use

Auditing a third-party Skill before installation
Checking a skill directory for prompt injection, credential theft, data exfiltration, or hidden backdoors
Evaluating supply chain risk of a Skill's npm/PyPI dependencies
CI/CD integration to block high-risk Skills automatically

How it works

The scanner runs in two phases:

Pre-scan (deterministic, no LLM) — walks all files and flags: symlinks, suspicious filenames (Unicode confusables, shell metacharacters), large files, binary executables, invisible characters, ANSI escape sequences, JS obfuscation patterns, and hardcoded URLs.
LLM Analysis — an Explore Agent reads each file and performs 7-layer analysis:
- Layer 1: Prompt Injection (direct injection, jailbreak, remote prompt loading)
- Layer 2: Malicious Behavior (credential theft, data exfiltration, sandbox escape)
- Layer 3: Dynamic Code Loading (remote execution via fetch+eval, curl|sh, etc.)
- Layer 4: Obfuscation & Binary (obfuscated scripts, compiled binaries)
- Layer 5: Dependencies & Supply Chain (npm/PyPI/CLI tool inventory, typosquat detection)
- Layer 6: System Modification (global installs, profile changes, cron jobs)
- Layer 7: Code Quality (hardcoded secrets, insecure configs, vulnerable code patterns)
An optional Deep Analysis Agent then verifies URLs, checks dependency metadata on registries, and inspects binaries.
Deterministic Scoring — each finding is scored based on its type and severity. The overall risk level (safe/low/medium/high/critical) and recommendation (install/caution/do_not_install) are computed deterministically, not by the LLM.

Installation

cd \x3Cskill-review-dir>
npm install

Configuration

Create .env and fill in your LLM provider details:

Variable	Description	Default
`OPENAI_API_BASE`	LLM API base URL (OpenAI-compatible)	required
`OPENAI_API_KEY`	API key	required
`OPENAI_API_MODEL`	Model name	`gpt-4o`
`NPM_REGISTRY_URL`	npm registry for dependency checks	`https://registry.npmjs.org`
`PYPI_INDEX_URL`	PyPI index for dependency checks	`https://pypi.org`

Alternatively, pass a JSON config file via --config.

Usage

# Standard scan (pre-scan + LLM explore)
node index.mjs \x3Cskill-dir>

# Pre-scan only (no LLM, fast)
node index.mjs --pre \x3Cskill-dir>

# Deep analysis (pre-scan + explore + deep verification of URLs/deps/binaries)
node index.mjs --deep \x3Cskill-dir>

# JSON output, save to file
node index.mjs --json -o report.json \x3Cskill-dir>

# Chinese language report
node index.mjs --lang zh \x3Cskill-dir>

# Verbose logs to stderr + log file
node index.mjs -v --log scan.log \x3Cskill-dir>

Options

Option	Description
`\x3Cskill-dir>`	Path to the skill directory to scan (required, positional)
`--config \x3Cfile>`	Path to JSON config file
`--pre`	Run pre-scan only (no LLM calls)
`--deep`	Enable deep analysis phase
`--lang \x3Clang>`	Report language (default: English)
`--json`	Output raw JSON instead of text report
`-o, --output \x3Cfile>`	Save report to file (default: stdout)
`--log \x3Cfile>`	Save detailed logs to file
`-v, --verbose`	Stream detailed logs to stderr
`-h, --help`	Show help

Output

The text report shows each layer with a risk score (0-10), star rating, and up to 5 findings per layer. The JSON output contains the full structured result with all findings, layer scores, overall risk, and recommendation.

Risk levels: safe (0) / low (1-3) / medium (4-6) / high (7-8) / critical (9-10)

Recommendations: install (safe/low) / caution (medium) / do_not_install (high/critical)

安全使用建议

This skill appears to implement the scanner it advertises, but before installing or running it consider the following: - It requires an LLM API base and key (OPENAI_API_BASE and OPENAI_API_KEY). Running a scan will send scanned files and findings to that remote model — do not use your primary/high-privilege API key if you are scanning untrusted code containing secrets. - Use the `--pre` (pre-scan only) mode to run deterministic local checks without sending file contents to the LLM. - The repository's package.json does not list a package referenced in the code (@sinclair/typebox). Expect npm install to fail unless that dependency is added; inspect package.json and add any missing deps before running. - The scanner creates agents that can execute shell tools against the skill directory. That is necessary for content extraction, but it means a malicious skill might try to trick the agent into running harmful commands. Prefer running scans in an isolated environment (e.g., container or VM) and avoid `--deep` unless you trust the environment and know what tools the deep agent will execute. - Review src/tools.mjs (especially the bash tool implementation) to understand exactly which commands the agent can run in the scanned directory and whether it will execute any package lifecycle scripts automatically. If you only need a quick safety check without remote model exposure, run `node index.mjs --pre <skill-dir>` to use the deterministic pre-scan. If you plan to run LLM-driven analysis, use a dedicated/limited LLM API key or an internally-hosted model and run the scanner in an isolated sandbox.

能力评估

ℹ Purpose & Capability

The name/description (a security scanner for Skill packages) align with the code: it performs a deterministic pre-scan and then uses LLM-driven agents and registry lookups to do deeper analysis. Required environment variables (OPENAI_API_BASE/OPENAI_API_KEY) are appropriate for an LLM-powered scanner. However, the source imports @sinclair/typebox in src/tools.mjs but package.json does not declare that dependency — npm install may fail or behave unexpectedly unless that dependency is added. Overall capability is proportional to purpose, with a packaging inconsistency to fix.

⚠ Instruction Scope

The runtime instructs Agents to run a bash tool in the skill root and to use commands like `cat -n` to read files; those tool outputs are then included in prompts to remote LLMs. That means the full scanned skill source (including any hidden keys or secrets in files) will be transmitted to the configured LLM provider during LLM Analysis / Deep Analysis. The SKILL.md and embedded prompts also contain explicit system-prompt content (detected as a system-prompt-override pattern) — this is expected for an LLM-driven scanner but increases the attack surface if you scan untrusted content because a malicious skill could try to trick the explorer agent into executing commands. The code does include many pre-scan checks (ANSI escapes, invisible chars, prompt injection heuristics), but you should assume deep scans will send code to an external model and that the agent can execute shell tools in the target directory.

ℹ Install Mechanism

There is no special network download/install step in the skill bundle beyond normal npm install of the package. package.json lists only `@mariozechner/pi-agent-core` and `dotenv`, which is consistent with Node usage, but code imports additional packages (e.g., `@sinclair/typebox`) that are not declared — this is an inconsistency and will result in runtime errors or require you to add dependencies manually. No remote arbitrary archive downloads are present in the provided files.

⚠ Credentials

The skill requires an LLM API base and API key (OPENAI_API_BASE and OPENAI_API_KEY) to operate — that is proportionate to an LLM-based scanner. However, giving those credentials means the scanner will use your LLM account to process scanned code and metadata. Any code content read and passed to the agents (including file contents, extracted strings, and URLs) will be sent to the configured model provider, which may be sensitive. The skill does not request unrelated credentials or system-level secrets, but the fact that it exfiltrates scanned content to a third-party LLM is the main privacy/security consideration.

✓ Persistence & Privilege

The skill is not marked always:true and does not request persistent system-level privileges. It runs ephemeral Agent instances that use the provided API key. disable-model-invocation remains false (normal), meaning the skill can run its own agents while invoked; combined with the LLM key this enables network calls but this is expected behaviour for the scanner. The skill does not modify other skills or global agent config in the inspected code.

版本历史

v1.0.1

- Initial release of skill-review: a multi-agent security scanner CLI for Claude Code Skill packages. - Runs a two-phase scan: deterministic static pre-scan and LLM-driven 7-layer deep analysis. - Detects risks including prompt injections, credential theft, dynamic code loading, obfuscated scripts, vulnerable dependencies, system modifications, and insecure code patterns. - Outputs deterministic risk scoring and actionable install recommendations. - Supports JSON and multilingual reports, configurable via environment or JSON file.

元数据

Slug ant-skill-review

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Skill Review 是什么？

Security scanner for Claude Code Skill packages. Use when the user wants to audit, review, or check the safety of a Skill before installing — e.g. "is this s... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 92 次。

如何安装 Skill Review？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ant-skill-review」即可一键安装，无需额外配置。

Skill Review 是免费的吗？

是的，Skill Review 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Skill Review 支持哪些平台？

Skill Review 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Skill Review？

由 Ant AI Security Lab（@antaisecuritylab）开发并维护，当前版本 v1.0.1。

Skill Review