Free Claude Skill Scans Other Skills for Security Risks

A developer has created a free Claude skill designed to review the security of other Claude skills. The tool addresses concerns about the security review ecosystem for community-created skills, which the developer compares to the early days of open source package security.
What the Skill Does
The skill inspects Claude skills before use by:
- Checking the skill code for potentially malicious behavior
- Reviewing the repository using a scorecard-style approach to surface basic security signals
The developer built the project specifically for Claude to help answer the question: "Does this Claude skill look reasonably safe to use?"
Development Process
Claude assisted with parts of the development, including:
- Shaping the workflow
- Refining the checks
- Speeding up implementation
Availability and Feedback
The tool is free to try at: https://github.com/CloudSecurityPartners/skills
The developer is seeking feedback from people building or using Claude skills, particularly around what security checks would be most useful.
📖 Read the full source: r/ClaudeAI
👀 See Also

OpenClaw User Adds TOTP 2FA After Agent Exposed API Keys in Plain Text
An OpenClaw user created a security skill called 'Secure Reveal' that requires TOTP authentication via Telegram before displaying stored credentials, after their AI agent accidentally leaked API keys and passwords in plain text during a demo.

MCP Sandbox: Run MCP Servers in Isolated Containers Without Trusting Them
A developer built MCP Sandbox, which runs MCP servers in isolated gVisor containers with default-deny network access and safe secret injection, plus pre-execution CVE scanning and pattern checking.

OpenClaw Slack Security: API Key Exposure Risks and Fixes
OpenClaw Slack deployments can expose API keys through error messages in channels, with over 8,000 instances found exposed in a Bitsight report. The source details three specific vulnerabilities and provides practical fixes including system prompt modifications and SlackClaw migration.

OpenClaw's External Content Wrapper for Prompt Injection Defense
OpenClaw uses an external content wrapper that automatically tags web search results, API responses, and similar content with warnings that it's untrusted, priming the LLM to be skeptical and more likely to refuse malicious instructions.