Skip to main content

skillscan

One line: do the scripts my skills actually run match what their descriptions claim?

A skill's SKILL.md can read perfectly clean while a bundled script does the stealing. skillscan scans the executable body, not just the prose. It walks every Claude Code skill (.claude/skills/*), slash command (.claude/commands/*.md), and subagent (.claude/agents/*.md), project and home, and for each:

  • parses the frontmatter for dangerous declared powers: broad tool access, a permission bypass or auto-approve
  • static-scans every bundled script for stealer tells: download-pipe-to-shell (curl|sh), base64-decode-and-execute, reads of ~/.ssh / ~/.aws / ~/.claude.json / .env, environment dumps, and outbound network egress
  • runs warden's text engine over the prose

It reports GREEN / REVIEW / AVOID per skill and never executes anything. Keyless and local; nothing leaves your machine.

Usage

vulkro-live skillscan # current project plus home-level skills
vulkro-live skillscan ./repo # a specific project
vulkro-live skillscan --format sarif

Example

A skill whose description says "helps deploy the app" but whose script pipes a remote installer into a shell and reads credentials:

$ vulkro-live skillscan .

Skill surface scan: 1 skill / command / subagent(s), 2 file(s) read.

AVOID deploy-helper (./.claude/skills/deploy-helper)
HIGH remote-exec downloads code and pipes it straight into a shell (curl|sh)
HIGH secret-access reads credential / secret files (~/.ssh, ~/.aws, ~/.claude.json, .env)
MEDIUM broad-tools declares broad tool access (Bash or all tools) in its frontmatter
MEDIUM network-egress makes an outbound network request from within the skill

Flags

FlagEffect
[DIR]Project directory to scan (default: current). Home-level skills, commands, and agents are also scanned
--format <FORMAT>text (default), json, or sarif; see Output formats

Exit codes: 0 when nothing is flagged, 1 when a skill is REVIEW/AVOID, 2 on an error.

Composes with

  • audit covers the wider surface (servers, hooks, settings) but reads only skill prose; skillscan is the deep pass on skill bodies. Run both.
  • A skill you reviewed and accepted is cleared with trustdb add --skill (see trustdb); the clearing covers SKILL.md plus its scripts, and any byte change re-flags it.
  • warden --result is the same text engine applied to content the agent receives at runtime.