Is escwxyz/skills safe?
https://github.com/escwxyz/skills
This skill is a legitimate defensive security tool for auditing other agent skills. It bundles two safe, stdlib-only Python scripts for automated pattern scanning and dependency extraction, with no network access, no sensitive file reads, and no obfuscation. The primary risk surface is the agent being instructed to execute bundled scripts, but both are transparent, read-only, and well-documented.
Category Scores
Findings (5)
LOW Bundled Python scripts executed by agent -18 ▶
SKILL.md instructs the agent to run 'python3 scripts/quick_validate.py
INFO Agent instructed to run specific commands -12 ▶
The skill workflow directs the agent to execute two shell commands. The commands are well-scoped to the target skill path and do not escalate privileges or access sensitive resources, but this represents implicit command-injection surface if the skill files were modified post-install.
INFO Self-audit exclusion mechanism -15 ▶
audit_skill.py contains DEFAULT_SELF_AUDIT_EXCLUDES that automatically skip scanning its own scripts and reference files when auditing itself. While documented and disablable via --no-default-self-excludes, this reduces self-audit coverage by default.
INFO Scripts read arbitrary paths passed as arguments -4 ▶
Both Python scripts accept a skill_path argument and recursively scan all files within it. If the agent were tricked into passing a sensitive directory instead of a skill directory, the scripts would read and output file contents. This is mitigated by the skill's documented purpose and the agent's own judgment.
INFO Expected network activity during installation -5 ▶
Network traffic during clone was limited to GitHub (git clone), Ubuntu system services, Cloudflare CDN, and AWS endpoints — all consistent with normal git clone and system background processes. No suspicious or unexpected destinations.