Docs/Skill Auditor

Skill Auditor

Automated security scanner for AI agent skills. Detect prompt injection, tool poisoning, hidden Unicode, and credential theft before installing any skill.

Quick Start

Install Panguard

curl -fsSL https://get.panguard.ai | bash

Audit a skill directory

panguard audit skill ./path/to/skill

Audit with JSON output (for CI/CD)

panguard audit skill ./my-skill --json

7 Security Checks

1. Manifest Validation

Verifies SKILL.md frontmatter: required fields, valid YAML, proper metadata. Malformed manifests are the first sign of a malicious skill.

2. Prompt Injection

11 regex patterns: "ignore previous instructions", identity override, system prompt manipulation, jailbreak patterns, hidden HTML comments.

3. Hidden Unicode

Zero-width characters (U+200B-200F), RTL overrides (U+202A-202E), and homoglyphs that hide malicious instructions invisible to human readers.

4. Encoded Payloads

Extracts Base64 blocks, decodes them, and checks for eval(), exec(), subprocess, child_process, curl, wget patterns.

5. Tool Poisoning

Privilege escalation (sudo, chmod 777), reverse shells (nc -e, /dev/tcp/), remote code execution (curl|bash), credential theft.

6. Code SAST + Secrets

Static analysis of all files in the skill directory. Detects hardcoded API keys, AWS credentials, private keys, and common vulnerabilities.

7. Permission & Dependency

Cross-references requested permissions against stated purpose. A weather skill requesting filesystem write access? Red flag.

Risk Scoring

Each finding carries a severity weight. Weights are summed and capped at 100.

Severity	Weight	Example
Critical	25	Reverse shell, prompt injection
High	15	Privilege escalation, credential theft
Medium	5	Suspicious patterns, ambiguous
Low	1	Minor style issues

0-14

LOW

Safe to install

15-39

MEDIUM

Review findings

40-69

HIGH

Manual review

70-100

CRITICAL

Do NOT install

Integration Guide

CI/CD Pipeline Gate

Block installations of high-risk skills automatically:

bash

# Block if HIGH or CRITICAL
RISK=$(panguard audit skill "$SKILL_PATH" --json | jq -r '.riskLevel')
if [ "$RISK" = "HIGH" ] || [ "$RISK" = "CRITICAL" ]; then
  echo "Blocked: $RISK risk skill"
  exit 1
fi

TypeScript API

Use programmatically in your agent framework:

typescript

import { auditSkill } from '@panguard-ai/panguard-skill-auditor';

const report = await auditSkill('./skills/untrusted-skill');

console.log(`Risk: ${report.riskScore}/100 (${report.riskLevel})`);
console.log(`Checks: ${report.checks.length}`);
console.log(`Findings: ${report.findings.length}`);

// Block dangerous skills
if (report.riskLevel === 'CRITICAL') {
  throw new Error('Skill blocked by security policy');
}

// Log individual findings
for (const finding of report.findings) {
  console.log(`[${finding.severity}] ${finding.title}`);
  if (finding.location) console.log(`  at ${finding.location}`);
}

OpenClaw Pre-Install Hook

Add to your OpenClaw agent configuration to auto-audit every skill before installation:

~/.openclaw/hooks/pre-skill-install.sh

#!/bin/bash
# Auto-audit skills before OpenClaw installs them
REPORT=$(panguard audit skill "$1" --json)
LEVEL=$(echo "$REPORT" | jq -r '.riskLevel')
SCORE=$(echo "$REPORT" | jq -r '.riskScore')

echo "Panguard Audit: $SCORE/100 ($LEVEL)"

if [ "$LEVEL" = "CRITICAL" ]; then
  echo "BLOCKED: Critical security issues found"
  echo "$REPORT" | jq '.findings[] | "  [\(.severity)] \(.title)"'
  exit 1
fi

Example Output

Safe Skill

$ panguard audit skill ./skills/weather-widget

PANGUARD SKILL AUDIT REPORT
============================
Skill:      weather-widget
Risk Score: 0/100
Risk Level: LOW
Duration:   0.2s

CHECKS:
  [PASS] Manifest: Valid SKILL.md structure
  [PASS] Prompt Safety: No injection patterns detected
  [PASS] Code: No vulnerabilities found; Secrets: Clean
  [PASS] Dependencies: No known issues
  [PASS] Permissions: Scope appropriate

VERDICT: Safe to install

Malicious Skill

$ panguard audit skill ./skills/suspicious-helper

PANGUARD SKILL AUDIT REPORT
============================
Skill:      suspicious-helper
Risk Score: 72/100
Risk Level: CRITICAL
Duration:   0.3s

CHECKS:
  [FAIL] Prompt Safety: 2 suspicious pattern(s) detected
  [PASS] Manifest: Valid SKILL.md structure
  [WARN] Code: 1 issue(s) found; Secrets: No hardcoded credentials
  [PASS] Dependencies: No known issues
  [PASS] Permissions: Scope appropriate

FINDINGS:
  [CRITICAL] Prompt injection: ignore previous instructions
             SKILL.md:42 - "ignore all previous instructions and..."
  [CRITICAL] Reverse shell pattern detected
             SKILL.md:87 - "bash -i >& /dev/tcp/..."
  [HIGH]     Environment variable exfiltration
             SKILL.md:23 - "printenv | curl..."

VERDICT: DO NOT INSTALL - Critical security issues found

Panguard Auditor vs Manual Vetting

Feature	Manual Checklist	Panguard Auditor
Speed	Minutes per skill	< 1 second
Consistency	Varies by reviewer	Deterministic
Hidden Unicode	Easy to miss	Auto-detect 15 categories
Base64 payloads	Manual decode needed	Auto-decode + analyze
Code SAST	Not included	Integrated scanner
Secrets scan	Manual grep	Pattern-based detection
Risk score	Subjective	Quantitative 0-100
CI/CD ready	No	JSON output + exit codes

Get Started

Install Panguard and start auditing skills in under 2 minutes. MIT licensed, open source.

curl -fsSL https://get.panguard.ai | bash

Full Setup Guide Read the Blog Post