A lot of agent ecosystems (Claude/Codex/OpenCode, etc.) store skills as folders with a SKILL.md. These files can contain surprisingly powerful instructions (and sometimes unsafe patterns), but they’re easy to forget once installed. We're also tend to run them with --dangerously-skip-permissions and let them install whatever they want, but I got a bit anxious about it so decided to build a tool to have some peace of mind.
I decided to not go with AST static check but instead use whatever CLI you have locally to validate it.
SkillLens does two things:
1. Discovery: it scans common local skill locations (configurable) and lists what it finds. 2. Optional audit: if you have an auditor CLI installed (claude or codex), it sends each SKILL.md (currently truncated to ~12k chars) to the auditor and asks for structured JSON output:
- verdict: safe | suspicious | unsafe - risk: 0–10 - summary + issues with evidence
It also caches audit results locally so reruns won't check skills again unless those were updated, you installed anything new or you explicitly asked it to do so with --force flag.
Install/run:
npx skilllens scan # or pnpm dlx skilllens scan
Notes / caveats:
- v0.1; I’m still iterating on the prompt/schema and the “what counts as suspicious” heuristics. - Today it sends the skill text to whatever your auditor CLI uses (so treat it like sharing the skill contents with that provider). “Redacted evidence extraction” is planned, but not implemented yet. - If the auditor CLI isn’t installed, it still produces a scan report and marks audits as skipped.