Audit Agent Skills for Security Vulnerabilities

The Agent Skill Security Auditor is a specialized DevSecOps tool designed to protect your AI agent's environment. As the ecosystem for AI agent skills grows, so does the risk of supply-chain attacks. This skill provides a rigorous, automated framework to audit SKILL.md files before you install them, ensuring they don't compromise your data, credentials, or system integrity.

What it does

This developer-centric skill teaches your AI agent how to perform a deep-dive security analysis on third-party skills from marketplaces like Agensi, GitHub, or LobeHub. It uses a structured methodology to scan for five critical attack vectors:

• Command Injection: Detects hidden shell commands, recursive deletes, or unauthorized sudo usage.
• Prompt Injection: Identifies instructions designed to bypass agent safety guardrails or redefine its core identity.
• Data Exfiltration: Flags suspicious URLs, webhooks, or instructions that send local file content to external endpoints.
• Credential Theft: Scans for malicious attempts to read .env files, SSH keys, or cloud provider configurations.
• Privilege Escalation: Spots attempts to disable verification gates, skip confirmation prompts, or gain admin rights.

Why use this skill?

While standard AI prompts can help review code, this skill implements a standardized auditing heuristic based on real-world vulnerability research. It doesn't just "read" the file; it parses frontmatter, decodes Base64 strings, validates domains against trusted lists, and produces a scored risk report (0-100) with actionable recommendations: Install, Review, Reject, or Block.

Output

The result is a professional Security Audit Report formatted in Markdown, featuring an executive risk score, a detailed breakdown of findings by severity (Critical to Low), and a specific remediation path for any identified risks.