{"id":48146545,"url":"https://github.com/aliksir/claude-code-skill-security-check","last_synced_at":"2026-04-04T17:01:03.915Z","repository":{"id":341833958,"uuid":"1170827883","full_name":"aliksir/claude-code-skill-security-check","owner":"aliksir","description":"Security audit skill for Claude Code community skills. Scans for prompt injection, data exfiltration, permission bypass, dangerous commands, and supply chain risks.","archived":false,"fork":false,"pushed_at":"2026-03-27T13:25:44.000Z","size":108,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-03-27T23:56:43.634Z","etag":null,"topics":["claude-code","claude-code-skill","security","skill","static-analysis"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aliksir.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-02T15:10:39.000Z","updated_at":"2026-03-27T13:25:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/aliksir/claude-code-skill-security-check","commit_stats":null,"previous_names":["aliksir/claude-code-skill-security-check"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/aliksir/claude-code-skill-security-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aliksir%2Fclaude-code-skill-security-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aliksir%2Fclaude-code-skill-security-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aliksir%2Fclaude-code-skill-security-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aliksir%2Fclaude-code-skill-security-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aliksir","download_url":"https://codeload.github.com/aliksir/claude-code-skill-security-check/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aliksir%2Fclaude-code-skill-security-check/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31407366,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["claude-code","claude-code-skill","security","skill","static-analysis"],"created_at":"2026-04-04T17:00:27.999Z","updated_at":"2026-04-04T17:01:03.907Z","avatar_url":"https://github.com/aliksir.png","language":"Shell","readme":"# Skill Security Check\n\n![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg) ![Version](https://img.shields.io/badge/version-2.4.5-blue.svg) ![npm](https://img.shields.io/npm/v/claude-code-skill-security-check)\n\nA comprehensive security audit tool for Claude Code community skills. Combines a multi-agent skill mode (no installation required) with a standalone CLI tool (`skill-scanner`) to detect malicious patterns, supply-chain risks, and runtime threats in `.md` skill files.\n\n---\n\n\u003e **Note**: This is a personal project and may produce false positives or miss certain threats.\n\u003e It is provided as-is without warranty. Use it as one layer of your security review process,\n\u003e not as a sole source of truth.\n\n\u003e **注意**: 本ツールは個人開発のプロジェクトです。誤検知（false positive）や検出漏れ（false negative）が\n\u003e 発生する可能性があります。セキュリティレビューの一助としてご利用ください。\n\u003e 本ツールの結果のみに依拠した判断は推奨しません。\n\n---\n\n## Features\n\n- **26 detection categories** — prompt injection, data exfiltration, credential access, reverse shell, privilege escalation, tool override, memory injection, agent self-replication, MCP elicitation abuse, and more\n- **3 parallel scanning agents** — Pattern Scanner, Red Team Analyst, and Deep Analyzer run concurrently for faster, more thorough coverage\n- **Plugin manifest inspection** — `.claude-plugin/plugin.json` scanning for name impersonation, excessive permissions, undeclared hooks\n- **allowed-tools audit** — flags skills with unrestricted tool access (missing `allowed-tools` frontmatter)\n- **Runtime defense hooks** — MCP response inspector (with elicitation abuse detection), Bash command validator, and ghost file detector\n- **7 Semgrep custom rules** — SSRF, SQL injection, weak crypto, insecure deserialization, Angular DOM XSS, path traversal, IDOR\n- **AWS IAM policy templates** — least-privilege templates for read-only and dev/deploy Claude Code environments\n- **CLI tool** (`skill-scanner`) — YAML/YARA rule engine, AST-level analysis, optional LLM and VirusTotal integration\n\n---\n\n## Quick Start\n\n### One-command installer (npm)\n\n```bash\nnpx claude-code-skill-security-check\n```\n\nInstalls SKILL.md, hooks, semgrep rules, IAM templates, and updater into your Claude Code environment.\n\n### Skill Mode (no installation)\n\n```\n/skill-security-check\n```\n\nRuns directly inside Claude Code. Three agents scan your skills directory in parallel and produce a structured threat report.\n\n### CLI Mode\n\n```bash\npip install skill-scanner\nskill-scanner scan-all ~/.claude/skills/ --format markdown -o report.md\n```\n\n---\n\n## Update Checker\n\nCheck for new versions of Skill Security Check:\n\n```bash\n# Manual check (uses 24-hour cache)\nbash updater/check-update.sh\n\n# Force immediate check\nbash updater/check-update.sh --force\n```\n\nYou can also enable automatic checks at Claude Code session start via a SessionStart hook. See [updater/README.md](updater/README.md) for installation instructions.\n\n---\n\n## Project Structure\n\n```\n├── SKILL.md                          # Skill definition (detection patterns \u0026 agent workflow)\n├── CHANGELOG.md                      # Version history\n├── hooks/\n│   ├── README.md                    # Hook installation \u0026 configuration guide\n│   ├── mcp-response-inspector.mjs   # Runtime MCP response inspection\n│   ├── validate-bash.sh             # Dangerous command prevention\n│   └── ghost-file-detector.sh       # AI ghost file detection\n├── semgrep-rules/\n│   ├── angular-dom-xss.yml          # Angular bypassSecurityTrust* detection\n│   ├── idor-auth-check.yml          # IDOR preliminary detection\n│   ├── insecure-deserialization.yml  # pickle, yaml.load, Marshal, unserialize\n│   ├── path-traversal.yml           # Zip Slip / path traversal patterns\n│   ├── sql-injection.yml            # ORM bypass (Django, SQLAlchemy, Sequelize, Prisma)\n│   ├── ssrf.yml                     # Server-Side Request Forgery\n│   └── weak-crypto.yml              # MD5, SHA1, DES, Math.random() for security\n├── updater/\n│   ├── README.md                    # Update checker setup guide\n│   └── check-update.sh              # Version check script (manual or SessionStart hook)\n└── iam-policy-template/\n    ├── README.md                    # IAM policy usage guide\n    ├── claude-code-readonly.json    # Read-only AWS policy\n    └── claude-code-dev-deploy.json  # Dev/deploy AWS policy\n```\n\n---\n\n## Detection Categories\n\n| # | Category | Severity |\n|---|----------|----------|\n| 1 | Prompt Injection | CRITICAL |\n| 2 | Data Exfiltration | HIGH |\n| 3 | Dangerous Commands | HIGH |\n| 4 | Steganography | HIGH |\n| 5 | Social Engineering | HIGH |\n| 6 | Permission Bypass | HIGH |\n| 7 | HTTP Exfiltration Bypass | HIGH |\n| 8 | Credential Access | HIGH |\n| 9 | Reverse Shell | HIGH |\n| 10 | Backdoor Persistence | HIGH |\n| 11 | Privilege Escalation | HIGH |\n| 12 | API Hijacking | MEDIUM-HIGH |\n| 13 | Namespace Squatting | MEDIUM-HIGH |\n| 14 | Unicode Homoglyph | MEDIUM-HIGH |\n| 15 | Context Window Poisoning | MEDIUM-HIGH |\n| 16 | XOR Obfuscation | MEDIUM |\n| 17 | Agent Infection | HIGH |\n| 18 | Silent Exfiltration | HIGH |\n| 19 | MCP Redefinition | MEDIUM-HIGH |\n| 20 | API Budget Drain | MEDIUM |\n| 21 | Auto Mode Abuse | MEDIUM-HIGH |\n| 22 | Multi-turn Grooming | HIGH |\n| 23 | Tool Override / Shadow | HIGH |\n| 24 | Whiteboard / Memory Injection | HIGH |\n| 25 | Agent Spawn \u0026 Self-Replication | CRITICAL |\n| 26 | MCP Elicitation Abuse | MEDIUM-HIGH |\n\n---\n\n## Runtime Defense Hooks\n\nThree hooks integrate with Claude Code's hook system to block threats at runtime. See [hooks/README.md](hooks/README.md) for installation and configuration.\n\n| Hook | Description |\n|------|-------------|\n| `mcp-response-inspector.mjs` | Inspects MCP tool responses for embedded prompt injection, exfiltration payloads, and elicitation abuse before they reach the agent |\n| `validate-bash.sh` | Intercepts Bash commands and blocks patterns matching `curl \\| bash`, `rm -rf /`, `bypassPermissions`, and other Tier 1 dangerous operations |\n| `ghost-file-detector.sh` | Detects AI-generated \"ghost files\" — similarly-named copies (e.g., `utils2.py`) created instead of editing the original, a common AI coding anti-pattern |\n\n---\n\n## Credits \u0026 Acknowledgments\n\nThis skill was built on lessons learned from auditing 575+ community skills. We are grateful to the following projects and their authors whose work informed our detection patterns:\n\n### Community Skill Authors\n\n- **[zebbern/claude-code-guide](https://github.com/zebbern/claude-code-guide)** — 23 penetration testing and security skills that directly informed our detection categories for credential access, reverse shells, privilege escalation chains, and backdoor persistence. These skills are educational tools for authorized security testing, and their explicit documentation of attack techniques helped us understand what patterns to detect. Thank you for the rapid response to our risk classification request (Issue #11).\n\n- **[raintree-claude-tools](https://github.com/raintreeinc/raintree-claude-tools)** (formerly `anthropic/`) — claude-hook-builder and claude-settings-expert. The settings-expert skill's explicit \"bypassPermissions is dangerous\" documentation is a model for responsible skill design. The namespace discussion (Issue #492 on anthropics/skills) helped us refine trust boundary abuse detection.\n\n- **[trailofbits/claude-code-devcontainer](https://github.com/trailofbits/claude-code-devcontainer)** — The devcontainer security discussion (Issue #28) about bypassPermissions auto-configuration outside containers was the catalyst for our Permission Bypass detection category.\n\n- **[anthropics/skills](https://github.com/anthropics/skills)** — The official Claude Code skills registry. Our namespace protection discussion (Issue #492) helped shape the Trust Boundary Abuse detection vector.\n\n### Security Research \u0026 Tools\n\n- **[carlospolop/PEASS-ng](https://github.com/carlospolop/PEASS-ng)** (LinPEAS/WinPEAS) — Referenced in multiple security skills. The `curl | sh` pattern for linpeas.sh was a key example that informed our piped script execution detection.\n\n- **[GTFOBins](https://gtfobins.github.io/)** — The definitive reference for Unix binary exploitation techniques. Our privilege escalation via system utilities detection (Category 11) is directly informed by GTFOBins patterns.\n\n- **[LOLBAS Project](https://lolbas-project.github.io/)** — Living Off The Land Binaries and Scripts for Windows. Complements GTFOBins for Windows-side detection patterns.\n\n- **[Zenn article: Claude Code/MCP Security Guide](https://zenn.dev/ytksato/articles/057dc7c981d304)** by DPL — Practical security hardening guide that informed our HTTP exfiltration bypass detection and settings.json audit patterns.\n\n### Detection Pattern References\n\n- **MITRE ATT\u0026CK Framework** — Tactics, Techniques, and Procedures (TTPs) referenced in our Red Team analysis vectors, especially T1098 (Account Manipulation), T1059 (Command \u0026 Scripting Interpreter), and T1071 (Application Layer Protocol).\n\n- **OWASP** — Prompt injection and indirect prompt injection categories draw from OWASP's LLM Top 10 (2025).\n\n### Special Thanks\n\nThank you to all community skill authors — including the many whose work we scanned without incident. The Claude Code skill ecosystem grows stronger when we look out for each other. If this tool flags your skill, it is not an accusation; it is an invitation to make the ecosystem safer together.\n\n---\n\n## Contributing\n\nIssues and pull requests are welcome.\n\n- [Open an issue](https://github.com/aliksir/claude-code-skill-security-check/issues)\n- Fork the repo, make your changes, and submit a PR\n\n---\n\n## License\n\nMIT — see [LICENSE](LICENSE)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faliksir%2Fclaude-code-skill-security-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faliksir%2Fclaude-code-skill-security-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faliksir%2Fclaude-code-skill-security-check/lists"}