Independent directory and educational resource. Not affiliated with Anthropic or Claude.
Safe Skill Environment

Security Audits

Every skill and plugin in our directory is scanned before listing. Here's what we check, how we check it, and what our audit reports look like.

1,200+
Skills Audited
Zero
Known Vulnerabilities Listed
48hr
Review Time

What We Audit

Six categories are reviewed for every skill submission. Critical findings block listing until resolved.

Prompt Injection

We test each skill against prompt injection attacks — attempts to override Claude's behavior through malicious content in the skill instructions.

Data Exfiltration

Skills are reviewed for any instructions that could cause Claude to send sensitive data — code, env vars, secrets — to external services.

Permission Scope

We verify that skills only request the permissions they actually need. Overly broad permissions are flagged and the author is asked to narrow them.

Instruction Clarity

Ambiguous or misleading instructions that could cause Claude to take unintended actions are flagged for rewriting before listing.

Schema Compliance

Every SKILL.md is validated against the official schema. Malformed files that could cause parsing errors are rejected before they reach users.

Dependency Risk

Skills that reference external URLs or scripts are reviewed for the safety of those dependencies before the skill can be approved.

Our Audit Process

From submission to verified listing — here's exactly what happens to every skill we receive.

  1. Submission

    Author submits skill via our form. Automated schema validation runs immediately, catching structural issues before manual review begins.

  2. Manual Review (24h)

    A reviewer installs the skill in an isolated environment and tests it against our full checklist — prompt injection, data handling, permissions, and instruction clarity.

  3. Verification

    If issues are found, the author is contacted with specific, actionable feedback. Skills cannot be listed until all CRITICAL issues are fully resolved.

  4. Listing + Badge

    Clean skills receive a Verified badge and are listed in the directory. Re-audits happen automatically when the skill author publishes an update.

Sample Audit Report

This is what a real audit report looks like. Each skill in the directory has one on file.

Audit Report — smart-git-commit v1.2.0

skill Reviewed May 28, 2026 · Reviewer: Claude Skills Hub team

PASS
Prompt Injection No issues
Data Exfiltration No issues
Permission Scope No issues
Instruction Clarity No issues
Schema Compliance No issues
Dependency Risk No issues
Summary: No issues found. This skill passes all security checks and is approved for listing in the Claude Skills Hub directory.

Report a Concern

Found a security issue in a listed skill?

If you discover a vulnerability, suspicious behavior, or policy violation in any skill listed in our directory, please report it. We review every report within 24 hours.

Report a Skill