skill-security-auditorlisted

# Skill Security Auditor Scan and audit AI agent skills for security risks before installation. Produces a clear **PASS / WARN / FAIL** verdict with findings and remediation guidance. ## Quick Start ```bash # Audit a local skill directory python3 scripts/skill_security_auditor.py /path/to/skill-name/ # Audit a skill from a git repo python3 scripts/skill_security_auditor.py https://github.com/user/repo --skill skill-name # Audit with strict mode (any WARN becomes FAIL) python3 scripts/skill_security_auditor.py /path/to/skill-name/ --strict # Output JSON report python3 scripts/skill_security_auditor.py /path/to/skill-name/ --json ``` ## What Gets Scanned ### 1. Code Execution Risks (Python/Bash Scripts) Scans all `.py`, `.sh`, `.bash`, `.js`, `.ts` files for: | Category | Patterns Detected | Severity | |----------|-------------------|----------| | **Command injection** | `os.system()`, `os.popen()`, `subprocess.call(shell=True)`, backtick execution | 🔴 CRITICAL | | **Code execution** | `eval()`, `exec()`, `compile()`, `__import__()` | 🔴 CRITICAL | | **Obfuscation** | base64-encoded payloads, `codecs.decode`, hex-encoded strings, `chr()` chains | 🔴 CRITICAL | | **Network exfiltration** | `requests.post()`, `urllib.request`, `socket.connect()`, `httpx`, `aiohttp` | 🔴 CRITICAL | | **Credential harvesting** | reads from `~/.ssh`, `~/.aws`, `~/.config`, env var extraction patterns | 🔴 CRITICAL | | **File system abuse** | writes outside skill dir, `/etc/`, `~/.bashrc`,