skillscatalog/skill-safety-scanner
skills/skill-safety-scanner/SKILL.md
Run local safety scans on Agent Skills before publishing. Detects secrets, dangerous code patterns, and analyzes required permissions.
$ install --global
skillsauthnpx skillsauth add skillscatalog/registry skill-safety-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 14, 2026, 2:33 AM19.9s3 files scanned
SKILL.md
- name:
- skill-safety-scanner
- description:
- Run local safety scans on Agent Skills before publishing. Detects secrets, dangerous code patterns, and analyzes required permissions.
- version:
- 1.0.0
- license:
- MIT
- author:
- @anthropic-agent-skills
Instructions
Use this skill to run safety scans on any Agent Skill directory before publishing. The scanner detects:
- Secrets - Hardcoded API keys, tokens, passwords, private keys
- Dangerous Code - eval(), exec(), command injection, XSS patterns
- Permissions - Required capabilities (filesystem, network, subprocess, etc.)
When to Use
- Before submitting a skill for publication
- To preview what the catalog safety scan will find
- To identify and fix security issues early
- As part of CI/CD pipelines
How to Use
Scan a skill directory:
Scan the skill at /path/to/my-skill for safety issues
Get detailed output:
python3 safety_scan.py /path/to/my-skill --verbose
Get JSON output for CI integration:
python3 safety_scan.py /path/to/my-skill --json
Output
Safety Scan Report
Skill: my-skill
Grade: B (85/100)
Scores:
Secrets: 100/100
Dangerous Code: 70/100
Permissions Detected:
- filesystem
- network
Findings (1):
[medium] Potential command injection
File: scripts/main.py:42
Code: subprocess.run(cmd, shell=True)
Recommendation: Review the finding above before publishing.
Examples
Basic scan:
User: Scan my skill at ./document-tools for safety issues
Agent: Running safety scan on ./document-tools...
Grade: A (95/100)
No critical issues found.
Finding secrets:
User: Check ./my-api-client for security issues
Agent: Running safety scan...
Grade: F (0/100)
Findings:
[critical] Hardcoded API key detected
File: config.py:5
Code: API_KEY = "sk-ant-..."
You must remove this secret before publishing.
Limitations
- Does not scan dependencies (use npm audit / pip-audit separately)
- Pattern-based detection may have false positives
- Cannot detect all security issues (not a replacement for security review)
- Scans local files only (not GitHub URLs)
Dependencies
- Python 3.9+
- No external dependencies (uses Python stdlib)
Related Skills
skillscatalog/my-skill-name
tools
VerifiedTrustedCommunity
A brief description of what this skill does
1SKILL.mdUpdated Apr 14, 2026
skillscatalog/skill-validator
development
VerifiedTrustedCommunity
Validate Agent Skills against the specification. Checks SKILL.md format, frontmatter fields, naming conventions, and directory structure.
1SKILL.mdUpdated Apr 14, 2026
skillscatalog/skill-search
development
VerifiedTrustedCommunity
Search the Agent Skills Catalog to find skills by keyword, vendor, or category.
1SKILL.mdUpdated Apr 14, 2026
skillscatalog/skill-publisher
development
VerifiedTrustedCommunity
Submit Agent Skills to catalogs for publication. Validates, scans, and submits skills via the skillscatalog.ai API.
1SKILL.mdUpdated Apr 14, 2026