skill-audit

Runs a deterministic static safety audit for third-party AI skill or plugin repositories before install or execution. Use when asked to scan a skill repo, assess whether a repo is safe to install, run a skill safety assessment, or produce evidence-backed findings for pre-install security screening.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "skill-audit" with this command: npx skills add modeioai/skill-audit-modeio

Run pre-install repository safety audits

Use this skill to evaluate a skill, plugin, or repository before you install it, trust it, or recommend it.

This skill is for static evidence-backed auditing only. It does not execute code, install dependencies, or run hooks in the target repository.

Maintainer-only validation and benchmark assets are excluded from ClawHub uploads.

Scope

  • Included:
    • deterministic repository audit through evaluate / scan
    • prompt payload generation through prompt
    • evidence-linkage checks through validate
    • context-aware merge flow through adjudicate
  • Not included:
    • code execution inside the target repository
    • dependency installation or hook execution in the target repository
    • benchmark helper workflows as the normal published runtime path

Working directory

Run these commands from inside the skill-audit folder.

Requirements

  • Hard requirement: python3
  • Optional enhancement: git for commit metadata and GitHub-origin discovery
  • Optional enhancement: GITHUB_TOKEN for higher GitHub API rate limits

Core commands

Installed entrypoint:

skill-audit evaluate --target-repo /path/to/repo --json > /tmp/skill_scan.json
skill-audit prompt --target-repo /path/to/repo --scan-file /tmp/skill_scan.json --include-full-findings
skill-audit validate --scan-file /tmp/skill_scan.json --assessment-file /tmp/assessment.md --json
skill-audit adjudicate --scan-file /tmp/skill_scan.json --assessment-file /tmp/adjudication.json --json

Repo-local wrapper:

python3 scripts/skill_safety_assessment.py evaluate --target-repo /path/to/repo --json > /tmp/skill_scan.json
python3 scripts/skill_safety_assessment.py prompt --target-repo /path/to/repo --scan-file /tmp/skill_scan.json --include-full-findings
python3 scripts/skill_safety_assessment.py validate --scan-file /tmp/skill_scan.json --assessment-file /tmp/assessment.md --json
python3 scripts/skill_safety_assessment.py adjudicate --scan-file /tmp/skill_scan.json --assessment-file /tmp/adjudication.json --json

Compatibility alias:

python3 scripts/skill_safety_assessment.py scan --target-repo /path/to/repo --json > /tmp/skill_scan.json

Runtime notes

  • evaluate always attempts the GitHub OSINT precheck first when the target repository has a GitHub origin
  • evaluate intentionally skips target-repo tests/ and fixture paths so the result stays focused on installable runtime surfaces
  • prompt should follow a deterministic scan; validate checks model-written output against scan evidence; adjudicate handles context-sensitive merge decisions
  • scripts/run_repo_set.py is a maintainer benchmark helper and is not part of the normal ClawHub runtime flow
  • Use --json whenever you want the full deterministic report with integrity, scoring, highlights, and findings

References

  • references/architecture.md — package layout and scan pipeline.
  • references/prompt-contract.md — strict prompt contract for model-assisted review.
  • references/output-contract.md — JSON/report contract and compatibility expectations.

When not to use

  • Live execution-time safety checks for commands or operations
  • Content transformation tasks that need to mask, rewrite, or restore sensitive data
  • Local routing or middleware scenarios where requests must flow through a gateway

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

AI Boss Assistant

Transform any AI into a professional executive assistant with battle-tested personas and workflows. Complete templates for Google Workspace integration (Gmail, Calendar, Drive), milestone delivery system, and security guidelines.

Registry SourceRecently Updated
23.2K
jacky6658
Security

On-Chain Skill Audit

On-chain skill provenance registry. Check, register, audit, and vouch for agent skills on Solana. Use when evaluating skill safety, registering new skills, or looking up provenance before installation.

Registry SourceRecently Updated
01K
Profile unavailable
Security

Solidity LSP

Solidity language server providing smart contract development support including compilation, linting, security analysis, and code intelligence for .sol files. Use when working with Ethereum smart contracts, Substrate pallets, or any Solidity code that needs compilation, security checks, gas optimization, or code navigation. Essential for ClawChain pallet development.

Registry SourceRecently Updated
0848
Profile unavailable