Back to Skills

Security Review Lens

by Zantific

otherbeginner
Claude Code skillagent skill securityAI supply chainskill scanningClaude

Security Review Lens is a Claude Code skill that scans third-party agent skills before you install them — so you find out a skill tries to phone home or steal credentials before it's running inside your environment, not after. Instead of spitting out a pass/fail verdict, it acts as a highlighter: it surfaces risky patterns and lets you decide. The skill runs 35 detection rules across four severity tiers — 8 CRITICAL (reverse shells, credential theft, prompt injection, cryptojacking), 8 HIGH (script execution, package installation, persistence), 10 MEDIUM (filesystem access, network requests, dynamic code generation) and 9 LOW (overly broad triggers, missing metadata, scope mismatches). On top of that it runs 7 semantic checks for indirect data leakage, remote access, hidden functionality, self-modification, obfuscation, chained attacks and trust-boundary violations. Its 9-step workflow covers file location, skill-type classification, frontmatter validation, rule execution, context-aware analysis, semantic checks, attack-surface mapping, red-team analysis and a final review. It deliberately bans the word 'safe' so it never gives you false assurance. It's MIT-licensed and needs no MCP servers to run.

Installation

git clone https://github.com/zantific/skill-security-review-lens.git ~/.claude/skills/skill-review-lens

Key Features

  • 35 detection rules across CRITICAL, HIGH, MEDIUM and LOW severity tiers
  • 7 semantic checks for indirect leakage, hidden functionality, obfuscation and chained attacks
  • Highlights risky patterns instead of issuing a misleading pass/fail verdict
  • 9-step workflow including attack-surface mapping and red-team analysis
  • Deliberately avoids the word 'safe' to prevent false confidence
  • Pure Claude Code skill — MIT-licensed, no MCP servers required

Use Cases

  • Reviewing an agent skill you found on GitHub before dropping it into ~/.claude/skills
  • Auditing skills your team already installed for credential theft or reverse shells
  • Spotting prompt-injection and obfuscation patterns a quick read-through would miss
  • Building a vetting step into your AI supply chain — the install-time complement to runtime scanners like mcp-scan

Links

View Source

Related Resources

AI News & Articles

Read the latest articles about Security Review Lens and AI agent capabilities

AI Tools Directory

Find AI tools that complement your agent skill workflow

Weekly AI Digest