skillsafe

Facilitates scanning, saving, sharing, and verifying AI skills through the SkillSafe secured skill registry.

Install this skill

or

0/100

Security score

The skillsafe skill was audited on May 12, 2026 and we found 16 security issues across 5 threat categories, including 3 critical. Review the findings below before installing.

Categories Tested

Security Issues

critical line 64

Direct command execution function call

SourceSKILL.md

64	1. Python AST analysis — detects `eval()`, `exec()`, `os.system()`, `subprocess.*`, etc.

critical line 64

Eval function call - arbitrary code execution

SourceSKILL.md

64	1. Python AST analysis — detects `eval()`, `exec()`, `os.system()`, `subprocess.*`, etc.

critical line 65

Eval function call - arbitrary code execution

SourceSKILL.md

65	2. JS/TS regex analysis — detects `eval()`, `new Function()`, `child_process`, etc.

high line 64

System command execution

SourceSKILL.md

64	1. Python AST analysis — detects `eval()`, `exec()`, `os.system()`, `subprocess.*`, etc.

medium line 65

Node child_process module reference

SourceSKILL.md

65	2. JS/TS regex analysis — detects `eval()`, `new Function()`, `child_process`, etc.

high line 64

Python os.system command execution

SourceSKILL.md

64	1. Python AST analysis — detects `eval()`, `exec()`, `os.system()`, `subprocess.*`, etc.

medium line 27

Curl to non-GitHub URL

SourceSKILL.md

27	curl -fsSL https://skillsafe.ai/scripts/skillsafe.py -o "$SKILL_DIR/scripts/skillsafe.py"

low line 25

Access to hidden dotfiles in home directory

SourceSKILL.md

25	SKILL_DIR="~/.agents/skills/skillsafe"

medium line 57

Access to hidden dotfiles in home directory

SourceSKILL.md

57	First checks if a saved API key in `~/.skillsafe/config.json` is still valid. If valid, prints account info and exits. If the key is missing, expired, or revoked, opens your browser to sign in (via Go

medium line 97

Access to hidden dotfiles in home directory

SourceSKILL.md

97	Downloads the archive, verifies the tree hash matches, scans the downloaded files, submits a verification report, and installs. AI agents should always pass `--tool <self>` where `<self>` is the a

medium line 201

Access to hidden dotfiles in home directory

SourceSKILL.md

201	Shows skills from multiple locations: all known tool directories (Claude Code, Cursor, Windsurf, Codex, Gemini, OpenCode, OpenClaw, Cline, Roo, Goose, Copilot, Kiro, Trae, AMP, Aider, VS Code, Antigra

medium line 360

Access to hidden dotfiles in home directory

SourceSKILL.md

360	Credentials are stored in `~/.skillsafe/config.json`. By default, `install` places skills in `.agents/skills/` in the current project directory and auto-symlinks into detected agent directories. Use `

medium line 70

Base64 decode operation

SourceSKILL.md

70	7. base64 deep-scan — decodes blobs and re-scans for hidden payloads

low line 27

External URL reference

SourceSKILL.md

27	curl -fsSL https://skillsafe.ai/scripts/skillsafe.py -o "$SKILL_DIR/scripts/skillsafe.py"

low line 149

External URL reference

SourceSKILL.md

149	> To design and produce a polished showcase demo from scratch (rather than recording an existing session), read `submit-skill-demo.md` in this skill's directory, or fetch it from `https://skillsaf

low line 356

External URL reference

SourceSKILL.md

356	- "comment on a demo" / "reply to a comment" / "post a comment on demo dmo_..." -> read `submit-demo-comment.md` in this skill's directory, or fetch `https://skillsafe.ai/submit-demo-comment.md`

Scanned on May 12, 2026

View Security Dashboard

Installation guide →

GitHub Stars 2

Rate this skill

Categorycontent media

UpdatedMay 31, 2026

claude claude-code cursor copilot github-copilot codex windsurf cline vscode opencode aider frontend design react docx git api testing backend technical-writer devops-sre ml-ai-engineer content media development

skillsafe/skillsafe-cli