How do I install skills-security-check?

Run `npx skills add https://github.com/toolsai/skills-security-check --skill skills-security-check` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does skills-security-check support?

skills-security-check works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is skills-security-check free to use?

Yes. skills-security-check is free to install and use. It is available from the open explainx.ai skill registry published by toolsai.

Where can I read ratings and reviews for skills-security-check?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Productivity

skills-security-check▌

toolsai/skills-security-check · updated Apr 8, 2026

$npx skills add https://github.com/toolsai/skills-security-check --skill skills-security-check

summary

CRITICAL INSTRUCTION FOR AI AGENTS:

›You are NOT just a command-runner. You are the Lead Security Analyst.
›This tool provides the data, but YOU provide the intelligence.

skill.md

Skill: Skills-Security-Check

CRITICAL INSTRUCTION FOR AI AGENTS: You are NOT just a command-runner. You are the Lead Security Analyst. This tool provides the data, but YOU provide the intelligence.

⚡️ The 3-Step Agentic Workflow (MANDATORY)

You MUST follow this loop whenever using this skill:

Step 1: Run the Scanner (Data Collection)

Execute the scanner to generate the raw data and "Audit Prompts".

python3 scripts/scan_skills.py --root /path/to/target/projects

This command will generate *_audit_prompt.txt files in the reports/YYYYMMDD.../prompts/ directory.

Step 2: 🛑 MANDATORY AI ANALYSIS (CRITICAL)

The Scanner's job is done. Now YOUR job begins. You MUST process the generated audit prompts.

Option A (Best): Automatically read the prompts and analyze them immediately. Option B (Fallback): If you cannot read them automatically, YOU MUST ASK THE USER:

"Scanner finished. I see {N} audit prompts generated. Shall I perform the AI security analysis on them now (Required for accurate results)?"

Requirement:

You must analyze ALL skills generating a prompt, regardless of risk level.
Generate audit.json for each skill.

Step 3: Integrate & Present

Run the scanner ONE MORE TIME. It will detect your audit.json files and bake them into the final report.

python3 scripts/scan_skills.py --root /path/to/target/projects

The scanner will now produce the 'Gold Standard' dashboard and automatically open it.

Technical Details

Scanner Logic: Regex-based static analysis. High false-positive rate.
Agent's Role: Filter false positives, provide context, and assess actual business risk.
Output: reports/YYYYMMDD_HHMMSS/index.html (The final artifact for the user).

Example Scenario: User: "Audit my skills." Agent:

Runs scan_skills.py.
Sees zimage_audit_prompt.txt flagged "High Risk".
Reads the prompt, realizes it's just an API client.
Writes audit.json marking it "Medium Risk" (requires API key).
Re-runs scan_skills.py to finalize the dashboard.

How to run

Run the scanner on a root folder that contains multiple skills:

python3 /Users/mattchan/.agents/skills/skill-security-audit-dashboard/scripts/scan_skills.py \
  --root /Users/mattchan/.agents/skills \
  --out /Users/mattchan/.agents/skills/skill-security-audit-dashboard/security-dashboard.html

Open the generated HTML dashboard file to view the results.

Notes

This is a static heuristic scan. It does not execute code.
The scanner avoids outputting raw secrets. It only reports file locations and categories.
If you need a JSON file as well, pass --json /path/to/output.json.

Arguments

--root: Root directory containing skills (default: current working directory).
--out: Path to the output HTML dashboard.
--json: Optional path to write raw JSON output.

general reviews

Ratings

4.4★★★★★47 reviews

★★★★★Sofia Ndlovu· Dec 24, 2024
Keeps context tight: skills-security-check is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Hiroshi Robinson· Dec 16, 2024
I recommend skills-security-check for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Chaitanya Patil· Dec 12, 2024
Keeps context tight: skills-security-check is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Michael Yang· Dec 12, 2024
skills-security-check has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Kwame Gonzalez· Nov 15, 2024
Registry listing for skills-security-check matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Sophia Jackson· Nov 7, 2024
Solid pick for teams standardizing on skills: skills-security-check is focused, and the summary matches what you get after install.
★★★★★Piyush G· Nov 3, 2024
Registry listing for skills-security-check matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Sophia Srinivasan· Nov 3, 2024
Useful defaults in skills-security-check — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Sophia Tandon· Oct 26, 2024
skills-security-check has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Shikha Mishra· Oct 22, 2024
skills-security-check reduced setup friction for our internal harness; good balance of opinion and flexibility.

showing 1-10 of 47

1 / 5