security-check

📁 sunu-py-jp/security-check-skill 📅 5 days ago

总安装量

周安装量

#69851

全站排名

安装命令

npx skills add https://github.com/sunu-py-jp/security-check-skill --skill security-check

Agent 安装分布

claude-code 2

mcpjam 1

kilo 1

junie 1

windsurf 1

zencoder 1

Skill 文档

Security Check

Evaluate skills and MCP servers for security vulnerabilities and malicious code before installation.

Workflow

1. Determine Target Type

Identify whether the target is a Skill or MCP server:

Skill: .skill file (zip), or directory containing SKILL.md
MCP server: Repository or directory containing MCP server implementation (typically with package.json or pyproject.toml and tool definitions)

If a .skill file is provided, extract it first:

unzip <file>.skill -d /tmp/skill-review/

2. Inventory All Files

List every file in the target. Categorize by risk level:

Risk	File types
Critical	`.py`, `.js`, `.ts`, `.sh`, `.bash`, executable files
High	`SKILL.md`, tool definitions, `package.json`, config files
Medium	`.md` references, `.json` schemas, `.yaml`/`.yml`
Low	Static assets (images, fonts, templates)

Read and analyze all Critical and High risk files. Scan Medium risk files for injection patterns.

3. Run Security Checks

Load the appropriate checklist based on target type:

Skill: Read references/skill-checklist.md
MCP server: Read references/mcp-checklist.md

For both types, also reference references/threat-patterns.md to match against known malicious patterns.

Evaluate every item in the checklist. Do not skip items.

4. Output Report

Output a structured security report in the following format:

## Security Audit Report

**Target**: [name and type]
**Risk Level**: SAFE / CAUTION / DANGER

### Summary
[1-2 sentence overall assessment]

### Findings

#### Critical (immediate threats)
- [finding with file path and line number]

#### Warning (potential risks)
- [finding with file path and line number]

#### Info (notes)
- [finding]

### File Analysis
| File | Risk | Status | Notes |
|------|------|--------|-------|
| ... | ... | ... | ... |

### Recommendation
[ ] Safe to install
[ ] Install with caution â [specific concerns]
[ ] Do NOT install â [reason]

Risk Level criteria:

SAFE: No findings at Critical or Warning level
CAUTION: Warning-level findings exist but no Critical findings
DANGER: One or more Critical findings

Important Rules

Read every script file in its entirety. Do not skim or skip files.
Check for obfuscated code â base64, hex encoding, compressed payloads, unicode tricks.
Verify that external URLs are legitimate and necessary.
Flag any network communication that sends local data outbound.
Always report the specific file path and line number for each finding.
When uncertain, err on the side of caution and flag as Warning.

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台