Skill Safety Auditor
by @harrylabsj
Perform comprehensive security audits on skills to identify vulnerabilities, unsafe patterns, and compliance issues. Use when auditing skills for security, c...
clawhub install skill-safety-auditorπ About This Skill
name: skill-safety-auditor description: Perform comprehensive security audits on skills to identify vulnerabilities, unsafe patterns, and compliance issues. Use when auditing skills for security, checking for hardcoded secrets, injection risks, or before releasing skills.
Skill Safety Auditor
Overview
The skill-safety-auditor skill performs comprehensive security audits on skills to identify vulnerabilities, unsafe code patterns, permission issues, and compliance violations. It helps ensure skills meet security standards before release or deployment.
When to Use
Core Concepts
Audit Types
| Type | Description | Speed |
|------|-------------|-------|
| quick-scan | Fast surface-level check | ~1s |
| audit | Comprehensive analysis | ~5-10s |
| report | Full audit with JSON output | ~10s |
Vulnerability Categories
| Category | Checks For | Severity |
|----------|------------|----------|
| secrets | Hardcoded API keys, passwords, tokens | Critical |
| injection | Command injection, path traversal | High |
| permissions | Unsafe file permissions | Medium |
| dependencies | Known vulnerable dependencies | High |
| network | Insecure HTTP connections | Low |
Severity Levels
Input
Accepts:
Output
Produces:
Workflow
Quick Security Check
1. Run quick-scan on target skill 2. Review any immediate issues 3. Address critical/high findings
Comprehensive Audit
1. Run full audit with verbose output 2. Review all findings by severity 3. Generate JSON report for records 4. Address findings in priority order 5. Re-run audit to verify fixes
Pre-Release Audit
1. Audit skill with all checks enabled 2. Generate formal report 3. Review with team 4. Fix all critical/high issues 5. Document accepted low-risk items
Commands
Quick Scan
./scripts/quick-scan.sh /path/to/skill
Full Audit
./scripts/audit-skill.sh /path/to/skill --verbose
Generate Report
./scripts/audit-skill.sh /path/to/skill --output report.json
Filter by Type
./scripts/audit-skill.sh /path/to/skill --types secrets,injection
List Past Audits
./scripts/list-audits.sh [--skill ] [--since 2024-01-01]
Output Format
Console Output
π Starting security audit: my-skill
================================
β
SKILL.md exists
Scanning for secrets...
Scanning for injection vulnerabilities...
[high] injection: eval() detected
File: src/utils.js:15
Recommendation: Avoid eval(), use safer alternatives================================
Validation complete:
Errors: 0
Warnings: 1
β Validation FAILED
JSON Report
{
"audit_id": "AUDIT-20240313-001",
"skill": "my-skill",
"timestamp": "2024-03-13T10:30:00Z",
"summary": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 3,
"info": 1
},
"findings": [
{
"id": "SEC-001",
"severity": "high",
"type": "injection",
"file": "src/utils.js",
"line": 15,
"description": "eval() detected - potential code injection",
"recommendation": "Avoid eval(), use safer alternatives"
}
],
"passed": false,
"recommendations": [
"Remove eval() from src/utils.js:15",
"Add input validation to all user inputs"
]
}
Audit Checks
Secrets Detection
Code Safety
File Permissions
Dependencies
Network Security
Quality Rules
Good Trigger Examples
Limitations
Resources
scripts/
audit-skill.sh - Full security auditquick-scan.sh - Fast security checklist-audits.sh - View audit historytest.sh - Test skill functionality