What this release does
- Finds Agent Skill repositories with
SKILL.md. - Scores candidates by task fit, maintenance, license, structure, docs, examples, and safety signals.
- Flags overbroad triggers, prompt injection, secret access, destructive commands, opaque installers, and obfuscated execution.
- Installs only the selected skill folder after user approval.
- Adds issue templates, PR template, filled demo outputs, an unsafe scanner fixture, and a risk model.
Try it in 3 minutes
python scripts/audit_skills.py audit --dest examples/fixturesExpected shape: the unsafe fixture is flagged for an overbroad trigger plus secret-access and opaque-installer patterns.
Safety boundary
This is a heuristic reviewer, not a guarantee that third-party skills are safe. The goal is to make risk visible before installation.