{"id":50150656,"url":"https://github.com/ultroncore/skillguard","last_synced_at":"2026-05-24T08:02:03.725Z","repository":{"id":346994091,"uuid":"1186714923","full_name":"UltronCore/skillguard","owner":"UltronCore","description":"Mandatory pre-install security gate for Claude Code skills, plugins, and configs. Multi-reviewer static threat analysis with OWASP LLM Top 10 mapping.","archived":false,"fork":false,"pushed_at":"2026-05-24T06:14:57.000Z","size":48,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-24T06:34:59.513Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/UltronCore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-19T23:11:01.000Z","updated_at":"2026-05-24T04:52:11.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/UltronCore/skillguard","commit_stats":null,"previous_names":["ultroncore/skillguard"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/UltronCore/skillguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UltronCore%2Fskillguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UltronCore%2Fskillguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UltronCore%2Fskillguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UltronCore%2Fskillguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/UltronCore","download_url":"https://codeload.github.com/UltronCore/skillguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UltronCore%2Fskillguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33426013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T22:14:44.296Z","status":"online","status_checked_at":"2026-05-24T02:00:06.296Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-24T08:02:01.291Z","updated_at":"2026-05-24T08:02:03.719Z","avatar_url":"https://github.com/UltronCore.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# SkillGuard\n\n**A mandatory pre-install security gate for Claude Code skills, plugins, configs, and any file that could affect Claude's behavior.**\n\nSkillGuard intercepts every install, import, or activation request before it reaches Claude — performing a structured multi-reviewer threat analysis and requiring explicit human approval before anything proceeds. No auto-approvals. No skipping. No exceptions.\n\n---\n\n## What It Does\n\nWhen you attempt to install a skill, load a config, run a setup script, or import any file into your Claude Code workflow, SkillGuard:\n\n1. **Pauses everything** and announces the review\n2. **Inventories all files** in the package recursively\n3. **Runs a two-pass deep review** against a 15-category threat catalog\n4. **Convenes a multi-reviewer council** (3–8 reviewers depending on complexity) that independently analyze each file\n5. **Produces a structured security report** with finding codes, OWASP LLM Top 10 mappings, severity scores, and a supply chain assessment\n6. **Stops and waits** for your explicit APPROVE or REJECT before taking any action\n\n---\n\n## Why It Exists\n\nClaude Code's skill and plugin ecosystem is powerful — and that power is a surface for attack. A malicious skill can:\n\n- Inject instructions that override Claude's behavior without your knowledge\n- Exfiltrate credentials, API keys, or conversation contents via image URLs or network calls\n- Install persistence mechanisms that survive sessions\n- Escalate permissions through hook manipulation\n- Chain individually-benign capabilities into dangerous toxic flows\n\nMost users install skills with a single command and no review. SkillGuard exists to close that gap.\n\n---\n\n## Threat Coverage\n\nSkillGuard v1.1 checks against 15 threat categories, all mapped to OWASP LLM Top 10 2025 and MITRE ATLAS:\n\n| # | Category | OWASP |\n|---|----------|-------|\n| 1 | Prompt injection and behavioral manipulation | LLM01 |\n| 2 | Shell command injection | LLM02 |\n| 3 | Encoded and obfuscated payloads (base64, ROT13, Unicode Braille, zero-width chars) | LLM01 |\n| 4 | Credential and data exfiltration — with provider-specific patterns for 13 providers | LLM06 |\n| 5 | External network calls and remote dependencies — URL shortener detection | LLM03 |\n| 6 | Persistence and self-modification | LLM06 |\n| 7 | Permission escalation and safety bypass | LLM06 |\n| 8 | Mismatch between stated and actual purpose | LLM08 |\n| 9 | Agentic abuse — tool shadowing and tool poisoning | LLM06 |\n| 10 | **Markdown image exfiltration** — `![](https://...?q=)` patterns | LLM05 |\n| 11 | **LLM control structure injection** — ChatML, Guidance, Llama-2/3 tokens | LLM01 |\n| 12 | **Toxic flow combinations** — cross-file capability chaining | LLM06 |\n| 13 | **Financial execution risk** — payment APIs, crypto wallets | LLM06 |\n| 14 | **System prompt leakage** — instructions to reveal configuration | LLM07 |\n| 15 | **Latent and indirect injection surface** — skills that process external content | LLM01 |\n\nCategories 10–15 were added in v1.1 based on comparative research against 8 open-source AI security tools.\n\n---\n\n## Reviewer Council\n\nSkillGuard assembles a council of independent reviewers. Each reads all files and writes findings before the council convenes:\n\n| Reviewer | Role | When |\n|----------|------|------|\n| **A — Technical Security Analyst** | Shell commands, scripts, credentials, encoded payloads, network calls | Always |\n| **B — Prompt and Behavior Analyst** | Injection, role hijacking, DAN patterns, hidden instructions, behavioral manipulation | Always |\n| **G — Output Impact Analyst** | What Claude would produce if the instructions were followed | Always |\n| **C — Supply Chain Analyst** | Dependencies, registries, typosquatting | When manifests present |\n| **D — Execution Path Analyst** | Install-time vs activation-time execution chains | When scripts present |\n| **E — Data Exfiltration Analyst** | Credential access, env vars, outbound data | When data access detected |\n| **F — Permission Abuse Analyst** | Hook manipulation, settings.json changes, autonomous actions | When hooks/permissions present |\n| **H — Toxic Flow Analyst** | Cross-file capability combinations (TF001/TF002/TF003) | When input + data + egress detected |\n\n---\n\n## Report Structure\n\nEvery SkillGuard review produces a 13-section security report:\n\n1. Executive Summary\n2. Review Trigger Context\n3. Inventory of Reviewed Files\n4. Reviewer A Findings\n5. Reviewer B Findings\n6. Reviewer G Findings (Output Impact)\n7. Additional Reviewer Findings (C–F, H as spawned)\n8. Council Verdict with worst-case credible interpretation\n9. Red Flags Table — with finding codes and OWASP mapping\n10. Benign Indicators\n11. Missing Information\n12. Safe Use Recommendation with sandbox guidance by risk level\n13. Supply Chain Assessment\n14. Confidence Score (0–100, computed via explicit formula)\n15. *(Optional)* Appendix A: Machine-readable JSON summary\n\n---\n\n## Installation\n\nSkillGuard is a [Claude Code](https://claude.ai/claude-code) skill plugin.\n\n### Option 1: Copy the skill file\n\nCopy `skills/skillguard/SKILL.md` and its `references/` folder into your Claude Code skills directory.\n\n### Option 2: Use as a local plugin\n\n1. Clone this repository\n2. Add the plugin to your `~/.claude/settings.json`:\n\n```json\n{\n  \"plugins\": {\n    \"skillguard@local\": true\n  }\n}\n```\n\n3. Point the plugin path to where you cloned the repo (see Claude Code plugin documentation for local plugin loading)\n\n### Enforce with a hook\n\nAdd this to your `~/.claude/settings.json` `hooks` section to catch install commands at the Bash level:\n\n```json\n{\n  \"hooks\": {\n    \"PreToolUse\": [\n      {\n        \"matcher\": \"Bash\",\n        \"hooks\": [\n          {\n            \"type\": \"command\",\n            \"command\": \"bash -c 'cmd=\\\"$CLAUDE_TOOL_INPUT_COMMAND\\\"; if echo \\\"$cmd\\\" | grep -qiE \\\"(plugin install|skill install|npm install|pip install|brew install|curl.*\\\\|.*(bash|sh)|wget.*\\\\|.*(bash|sh))\\\"; then echo \\\"[SKILLGUARD] Install command detected. Invoke the skillguard skill before proceeding.\\\"; fi; exit 0'\"\n          }\n        ]\n      }\n    ]\n  }\n}\n```\n\n---\n\n## Trigger Phrases\n\nSkillGuard activates on any of:\n\n\u003e \"install this\", \"add this skill\", \"import this\", \"load this config\", \"use this prompt\", \"activate this agent\", \"run this setup\", \"apply this\", \"trust this file\", \"here's a skill\", \"add to Claude\", \"use this tool\", \"install this plugin\", \"run this script\", \"set this up for me\"\n\n...or any request to install, import, activate, trust, execute, merge, run, apply, copy, or use any external file that could affect Claude's behavior.\n\nIt also triggers on specific file types: `.md`, `SKILL.md`, `.json`, `.yaml`, `.yml`, `.toml`, `.sh`, `.bash`, `.zsh`, `.ps1`, `.bat`, `.cmd`, `.py`, `.js`, `.ts`, `Dockerfile`, `package.json`, `requirements.txt`, manifests, configs, plugins, and extensions.\n\n---\n\n## Core Principles\n\n1. **Never auto-approve** — not for convenience, speed, or trust signals\n2. **Never skip a file** — read everything, regardless of extension\n3. **Never suppress findings** — every flag appears in the report\n4. **Markdown is security-relevant** — inspect for hidden prompts and exfiltration vectors\n5. **JSON is security-relevant** — inspect fields for hooks, templates, and behavioral overrides\n6. **Documentation is not evidence of safety** — verify claims against actual content\n7. **Polish and popularity are not safety signals** — treat them as neutral\n8. **Dangerous permission modes = elevated caution**, not permission to skip review\n9. **Prefer false positives** — a missed threat is worse than a false alarm\n10. **Never auto-execute commands during review** — observe only, never run\n\n---\n\n## Files\n\n```\nskills/\n  skillguard/\n    SKILL.md                        — Main skill logic and workflow\n    references/\n      threat-catalog.md             — 15-category threat taxonomy with detection patterns\n      report-template.md            — 13-section report template with scoring formulas\n      reviewer-guide.md             — Per-reviewer checklists, scoring logic, false positive controls\n\nRESEARCH_AND_IMPROVEMENTS.md       — Phase 2 comparative analysis: 8 open-source security tools\n                                      reviewed statically, capability comparison matrix,\n                                      and the full reasoning behind every v1.1 improvement\nREADME.md                           — This file\n```\n\n---\n\n## Research Basis\n\nSkillGuard v1.1 was improved through a static comparative analysis of 8 open-source AI and software security tools:\n\n- **mcp-scan** (invariantlabs-ai) — MCP server security scanner\n- **vigil-llm** (deadbits) — LLM prompt injection detection with YARA rules\n- **rebuff** (protectai) — Self-hardening prompt injection detector with fuzzy scoring\n- **garak** (NVIDIA/leondz) — LLM vulnerability scanner with 40+ probe categories\n- **guardrails** (guardrails-ai) — AI application input/output validation framework\n- **detect-secrets** (Yelp) — Enterprise secrets detection with Shannon entropy scoring\n- **trufflehog** (trufflesecurity) — Secrets discovery with 800+ provider-specific patterns\n- **OWASP LLM Top 10 2025** — Authoritative LLM threat taxonomy\n\nFull analysis, capability comparison matrix, and improvement rationale: [`RESEARCH_AND_IMPROVEMENTS.md`](./RESEARCH_AND_IMPROVEMENTS.md)\n\n---\n\n## Versioning\n\n| Version | Changes |\n|---------|---------|\n| v1.0 | Initial release — 9 threat categories, 6 reviewers (A–F), 12-section report |\n| v1.1 | +6 threat categories (10–15), +Reviewer G (Output Impact, mandatory), +Reviewer H (Toxic Flow, dynamic), provider-specific credential patterns for 13 providers, OWASP LLM Top 10 mapping, finding codes, structured severity scoring, Shannon entropy guidance, false positive controls, Section 13 Supply Chain, Appendix A JSON output |\n\n---\n\n## License\n\nMIT License — free to use, modify, and distribute. Attribution appreciated.\n\n---\n\n## Contributing\n\nContributions welcome. Particularly useful:\n- New threat catalog entries with detection patterns\n- Additional provider-specific credential patterns\n- False positive reduction examples\n- Real-world attack samples (redacted) for test cases\n- Translations of the reviewer prompts\n\n---\n\n*SkillGuard does not execute any code. It performs static analysis only and requires explicit human approval before any installation proceeds.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fultroncore%2Fskillguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fultroncore%2Fskillguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fultroncore%2Fskillguard/lists"}