Security Audits
Every skill and plugin in our directory is scanned before listing. Here's what we check, how we check it, and what our audit reports look like.
Coverage
What We Audit
Six categories are reviewed for every skill submission. Critical findings block listing until resolved.
Prompt Injection
We test each skill against prompt injection attacks — attempts to override Claude's behavior through malicious content in the skill instructions.
Data Exfiltration
Skills are reviewed for any instructions that could cause Claude to send sensitive data — code, env vars, secrets — to external services.
Permission Scope
We verify that skills only request the permissions they actually need. Overly broad permissions are flagged and the author is asked to narrow them.
Instruction Clarity
Ambiguous or misleading instructions that could cause Claude to take unintended actions are flagged for rewriting before listing.
Schema Compliance
Every SKILL.md is validated against the official schema. Malformed files that could cause parsing errors are rejected before they reach users.
Dependency Risk
Skills that reference external URLs or scripts are reviewed for the safety of those dependencies before the skill can be approved.
Process
Our Audit Process
From submission to verified listing — here's exactly what happens to every skill we receive.
-
Submission
Author submits skill via our form. Automated schema validation runs immediately, catching structural issues before manual review begins.
-
Manual Review (24h)
A reviewer installs the skill in an isolated environment and tests it against our full checklist — prompt injection, data handling, permissions, and instruction clarity.
-
Verification
If issues are found, the author is contacted with specific, actionable feedback. Skills cannot be listed until all CRITICAL issues are fully resolved.
-
Listing + Badge
Clean skills receive a Verified badge and are listed in the directory. Re-audits happen automatically when the skill author publishes an update.
Example
Sample Audit Report
This is what a real audit report looks like. Each skill in the directory has one on file.
Audit Report — smart-git-commit v1.2.0
Community Safety
Report a Concern
Found a security issue in a listed skill?
If you discover a vulnerability, suspicious behavior, or policy violation in any skill listed in our directory, please report it. We review every report within 24 hours.