What is inspect-skills used for?

To analyze Agent Skills for spec compliance, security, and provider compatibility with the skill-inspector tool.

Do I need API keys to run a full inspection?

Yes. A valid LLM API key is required and the tool checks several environment variables; it will error if none are set.

How do I view results?

Use the default output for readability or run with --json to get structured results and the scoring.

inspect-skills

npx machina-cli add skill yu-iskw/skill-inspector/inspect-skills --openclaw

Files (1)

SKILL.md

1.7 KB

Inspect Agent Skills

Purpose

Run the skill-inspector CLI to analyze one or more Agent Skills for spec compliance, security (e.g. RCE, data exfiltration), and provider compatibility. Use this skill when you need to validate, audit, or harden Agent Skills.

When to Use

The user asks to "inspect skills", "validate skills", "audit skills for security", or "check skill compliance".
You need to verify a skill directory or repo before adopting or recommending it.
You want a 0–100 score and actionable findings for a skill or skill set.

How to Use

List skills only (no LLM required): From the repo or directory that contains skills, run:
```
./scripts/list-skills.sh [source]
```
Example: ./scripts/list-skills.sh . or ./scripts/list-skills.sh owner/repo.
Full inspection (requires at least one LLM API key): Run:
```
./scripts/inspect.sh [source] [options]
```
The script checks for ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, MISTRAL_API_KEY, or GROQ_API_KEY and exits with a clear error if none are set.

Examples:
- ./scripts/inspect.sh . — inspect all skills in current directory
- ./scripts/inspect.sh ./my-skill --provider anthropic
- ./scripts/inspect.sh owner/repo -s "skill-name" --json
Interpret results: See references/cli-usage.md for score ranges, severity levels, and --json output.

Resources

CLI usage and options: Flags, providers, and environment variables.

Source

git clone https://github.com/yu-iskw/skill-inspector/blob/main/skills/inspect-skills/SKILL.mdView on GitHub

Overview

Analyze Agent Skills for spec compliance, security risks, and provider compatibility using the skill-inspector CLI. This helps teams validate, audit, and harden skills before adoption or recommendation.

How This Skill Works

Run the CLI to list skills or perform a full inspection. The tool checks for API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, MISTRAL_API_KEY, GROQ_API_KEY) and exits with an error if none are set, then returns a 0–100 score and actionable findings. You can view results in human-readable output or with --json for structured data.

When to Use It

The user asks to 'inspect skills' or 'validate skills' for compliance.
You need to verify a skill directory or repo before adoption or recommendation.
You want a 0–100 score and actionable findings for a skill or skill set.
Auditing skills for security risks like RCE or data exfiltration.
Hardening or governance – verifying provider compatibility and spec adherence.

Quick Start

Step 1: List skills from a source: ./scripts/list-skills.sh .
Step 2: Run a full inspection with API keys: ./scripts/inspect.sh ./my-skill --provider openai
Step 3: Review the score and findings (human-readable or --json).

Best Practices

List skills first to map scope using ./scripts/list-skills.sh [source].
Run a full inspect.sh with API keys set to get a complete score and findings.
Review the JSON or human-readable report for high-risk signals.
Cross-check provider compatibility across Anthropic, OpenAI, Google, etc.
Document trusted skills and maintain audit logs for governance.

Example Use Cases

Pre-deployment audit of a new Skill repo before onboarding.
Audit a contractor's skill directory for security before reuse.
Compare several skills for spec compliance and provider readiness.
Identify Skills with potential exfiltration risk during review.
Generate a scorecard for a skill set to present to security team.

Frequently Asked Questions

Add this skill to your agents