Security audit tool for Claude Code skills, MCP servers, and repositories.
Scan before you install, so you don't have to trust blindly.
Zero dependencies. Pure bash. Can't be a supply chain risk itself.
When you download a Claude Code skill from GitHub, you're giving it access to your terminal. A malicious skill can:
- Steal credentials — SSH keys, AWS/GCP/Azure configs, API keys, crypto wallets
- Inject prompt instructions — hidden text that manipulates Claude into running harmful commands
- Poison your supply chain —
.pthfiles that auto-execute on every Python start (litellm 1.82.8 attack) - Open backdoors — reverse shells, network listeners, privilege escalation
Skill Shielder scans for all of these before you install.
# Clone
git clone https://github.com/p3nchan/skill-shielder.git
cd skill-shielder
# Make scripts executable
chmod +x shield.sh scanners/*.sh
# Audit a local skill directory
./shield.sh /path/to/downloaded-skill
# Audit a GitHub repo directly
./shield.sh https://github.com/someone/their-skill
# JSON output for CI/automation
./shield.sh --json /path/to/skill
Skill Shielder runs four independent scanners against your target, then aggregates findings into a single verdict.
| Scanner | Checks | File Types |
|---|---|---|
| Prompt Injection | Hidden instructions, persona hijacking, unicode tricks, <system> tag injection, social engineering |
.md .json .yaml .txt |
| Script Safety | Destructive commands, pipe-to-shell, credential exfiltration, reverse shells, obfuscated eval | .sh .py .js .ts |
| Supply Chain | .pth file attacks, setup.py hooks, npm lifecycle scripts, unpinned deps, inline script deps |
.pth setup.py package.json requirements.txt pyproject.toml |
| Permissions | Sensitive path access, outbound network endpoints, exfiltration pattern detection | All files |
| Verdict | Exit Code | Meaning |
|---|---|---|
| PASS | 0 | No issues found. Safe to install. |
| WARN | 1 | Non-critical issues. Review findings before proceeding. |
| FAIL | 2 | Critical issues. Do not install. |
# Skill Shielder Report
**Target**: malicious-skill (examples/malicious-skill)
**Date**: 2026-03-26
**Verdict**: **FAIL**
## Summary
| Scanner | CRITICAL | WARN | INFO |
|-----------------|----------|------|------|
| prompt-injection | 2 | 4 | 0 |
| script-safety | 5 | 4 | 0 |
| supply-chain | 1 | 2 | 0 |
| permissions | 1 | 3 | 0 |
## Findings
- [CRITICAL] SKILL.md:12 [PROMPT_OVERRIDE] ignore all previous instructions...
- [CRITICAL] scripts/setup.sh [PIPE_TO_SHELL] curl/wget piped to sh/bash
- [CRITICAL] scripts/setup.sh [CREDENTIAL_EXFIL] base64 encode credentials then curl
- [CRITICAL] scripts/setup.sh [REVERSE_SHELL] reverse shell pattern detected
- [CRITICAL] evil.pth [PTH_EXECUTABLE] .pth file contains executable code
- [CRITICAL] EXFIL_RISK Skill accesses sensitive paths AND makes network calls
...
## Recommendation
**CRITICAL issues detected. Do NOT install.**
Skill Shielder includes a SKILL.md so Claude Code can use it directly:
- Clone this repo somewhere on your machine
- Tell Claude: "audit this skill at /path/to/suspicious-skill"
- Claude reads
SKILL.md, runsshield.sh, and presents the findings
You can also add it to your CLAUDE.md:
## Skills
| Skill | When to use |
|-------|-------------|
| `skill-shielder` | Before installing any new skill, MCP server, or repo |# GitHub Actions example
- name: Audit skill
run: |
git clone https://github.com/p3nchan/skill-shielder.git /tmp/shielder
chmod +x /tmp/shielder/shield.sh /tmp/shielder/scanners/*.sh
/tmp/shielder/shield.sh --json . > audit-report.json
# Fail the build if CRITICAL issues found
exit_code=$?
if [ $exit_code -eq 2 ]; then
echo "FAIL: Critical security issues found"
cat audit-report.json
exit 1
fiWhen auditing a GitHub URL, Skill Shielder also checks:
- Stars, forks, and contributor count
- Repo age (new + 0 stars = unproven)
- Last commit date (stale = risk)
- Open issues tagged
security/malware/compromised - Fork status (verify what changed from upstream)
- License presence
Requires gh CLI to be authenticated.
All scan patterns are documented in patterns/ and are community-editable:
patterns/prompt-injection.md— prompt injection signaturespatterns/script-safety.md— dangerous script patternspatterns/supply-chain.md— supply chain attack signatures + known compromised packages
Contributions welcome. To add a new threat pattern:
- Add the pattern to the relevant
patterns/*.mdreference file - Implement detection in the corresponding
scanners/*.shscript - Add a test case in
examples/malicious-skill/if applicable - Submit a PR
- Pattern-based scanning cannot catch all attacks (obfuscation always evolves)
- Repo reputation signals are heuristics, not guarantees
- New zero-day supply chain attacks won't be detected until patterns are added
- This tool is a first line of defense, not a replacement for code review
MIT