skillscan
One line: do the scripts my skills actually run match what their descriptions claim?
A skill's SKILL.md can read perfectly clean while a bundled script
does the stealing. skillscan scans the executable body, not just the
prose. It walks every Claude Code skill (.claude/skills/*), slash
command (.claude/commands/*.md), and subagent (.claude/agents/*.md),
project and home, and for each:
- parses the frontmatter for dangerous declared powers: broad tool access, a permission bypass or auto-approve
- static-scans every bundled script for stealer tells:
download-pipe-to-shell (
curl|sh), base64-decode-and-execute, reads of~/.ssh/~/.aws/~/.claude.json/.env, environment dumps, and outbound network egress - runs
warden's text engine over the prose
It reports GREEN / REVIEW / AVOID per skill and never executes anything. Keyless and local; nothing leaves your machine.
Usage
vulkro-live skillscan # current project plus home-level skills
vulkro-live skillscan ./repo # a specific project
vulkro-live skillscan --format sarif
Example
A skill whose description says "helps deploy the app" but whose script pipes a remote installer into a shell and reads credentials:
$ vulkro-live skillscan .
Skill surface scan: 1 skill / command / subagent(s), 2 file(s) read.
AVOID deploy-helper (./.claude/skills/deploy-helper)
HIGH remote-exec downloads code and pipes it straight into a shell (curl|sh)
HIGH secret-access reads credential / secret files (~/.ssh, ~/.aws, ~/.claude.json, .env)
MEDIUM broad-tools declares broad tool access (Bash or all tools) in its frontmatter
MEDIUM network-egress makes an outbound network request from within the skill
Flags
| Flag | Effect |
|---|---|
[DIR] | Project directory to scan (default: current). Home-level skills, commands, and agents are also scanned |
--format <FORMAT> | text (default), json, or sarif; see Output formats |
Exit codes: 0 when nothing is flagged, 1 when a skill is
REVIEW/AVOID, 2 on an error.
Composes with
auditcovers the wider surface (servers, hooks, settings) but reads only skill prose; skillscan is the deep pass on skill bodies. Run both.- A skill you reviewed and accepted is cleared with
trustdb add --skill(seetrustdb); the clearing coversSKILL.mdplus its scripts, and any byte change re-flags it. warden --resultis the same text engine applied to content the agent receives at runtime.