skill-checkerlisted

# Skill Checker A paranoid auditor for Claude Code skills. Before you install a skill, run this. It treats every skill as guilty until proven innocent — because skills are code that runs on your machine with real permissions. ## Read-only by design This skill **only reads**. It cannot delete, write, or modify anything in the skill being audited. The `allowed-tools` whitelist contains zero write/delete operations. If you ever see this skill request `rm`, `mkdir`, `cp`, `mv`, or any network operation — that's a tampered version, not the real one. ## Checker Scope Rules — Read before audit These rules constrain the checker itself. They prevent the checker from being weaponized against the rest of the user's filesystem. 1. **Only inspect files under `$SKILL_PATH`.** Never read, cat, grep, glob, stat, or list any path outside the directory the user provided. 2. **Never follow symlinks inside the audited skill.** If a file inside the skill is a symlink — it's listed as a finding (`INV001`), but the target is not opened. 3. **Never execute anything from the audited skill.** This is a static audit. No `python3 <audited-script>`, no `bash <audited-script>`. The only `python3` in the allowlist points to the checker's own `scan.py`. 4. **If a step would need to look outside `$SKILL_PATH`, stop and ask the user.** Don't improvise. ## Philosophy 1. **Paranoid by default.** When in doubt, raise the flag. False positives cost a few minutes; a missed malicious skill costs your machin