diff --git a/skills/skill-install/SKILL.md b/skills/skill-install/SKILL.md new file mode 100644 index 0000000..a802f78 --- /dev/null +++ b/skills/skill-install/SKILL.md @@ -0,0 +1,167 @@ +--- +name: skill-install +description: Install Claude skills from GitHub repositories with automated security scanning. Triggers when users want to install skills from a GitHub URL, need to browse available skills in a repository, or want to safely add new skills to their Claude environment. +--- + +# Skill Install + +## Overview + +Install Claude skills from GitHub repositories with built-in security scanning to protect against malicious code, backdoors, and vulnerabilities. + +## When to Use + +Trigger this skill when the user: +- Provides a GitHub repository URL and wants to install skills +- Asks to "install skills from GitHub" +- Wants to browse and select skills from a repository +- Needs to add new skills to their Claude environment + +## Workflow + +### Step 1: Parse GitHub URL + +Accept a GitHub repository URL from the user. The URL should point to a repository containing a `skills/` directory. + +Supported URL formats: +- `https://github.com/user/repo` +- `https://github.com/user/repo/tree/main/skills` +- `https://github.com/user/repo/tree/branch-name/skills` + +Extract: +- Repository owner +- Repository name +- Branch (default to `main` if not specified) + +### Step 2: Fetch Skills List + +Use the WebFetch tool to retrieve the skills directory listing from GitHub. + +GitHub API endpoint pattern: +``` +https://api.github.com/repos/{owner}/{repo}/contents/skills?ref={branch} +``` + +Parse the response to extract: +- Skill directory names +- Each skill should be a subdirectory containing a SKILL.md file + +### Step 3: Present Skills to User + +Use the AskUserQuestion tool to let the user select which skills to install. + +Set `multiSelect: true` to allow multiple selections. + +Present each skill with: +- Skill name (directory name) +- Brief description (if available from SKILL.md frontmatter) + +### Step 4: Fetch Skill Content + +For each selected skill, fetch all files in the skill directory: + +1. Get the file tree for the skill directory +2. Download all files (SKILL.md, scripts/, references/, assets/) +3. Store the complete skill content for security analysis + +Use WebFetch with GitHub API: +``` +https://api.github.com/repos/{owner}/{repo}/contents/skills/{skill_name}?ref={branch} +``` + +For each file, fetch the raw content: +``` +https://raw.githubusercontent.com/{owner}/{repo}/{branch}/skills/{skill_name}/{file_path} +``` + +### Step 5: Security Scan + +**CRITICAL:** Before installation, perform a thorough security analysis of each skill. + +Read the security scan prompt template from `references/security_scan_prompt.md` and apply it to analyze the skill content. + +Examine for: +1. **Malicious Command Execution** - eval, exec, subprocess with shell=True +2. **Backdoor Detection** - obfuscated code, suspicious network requests +3. **Credential Theft** - accessing ~/.ssh, ~/.aws, environment variables +4. **Unauthorized Network Access** - external requests to suspicious domains +5. **File System Abuse** - destructive operations, unauthorized writes +6. **Privilege Escalation** - sudo attempts, system modifications +7. **Supply Chain Attacks** - suspicious package installations + +Output the security analysis with: +- Security Status: SAFE / WARNING / DANGEROUS +- Risk Level: LOW / MEDIUM / HIGH / CRITICAL +- Detailed findings with file locations and severity +- Recommendation: APPROVE / APPROVE_WITH_WARNINGS / REJECT + +### Step 6: User Decision + +Based on the security scan results: + +**If SAFE (APPROVE):** +- Proceed directly to installation + +**If WARNING (APPROVE_WITH_WARNINGS):** +- Display the security warnings to the user +- Use AskUserQuestion to confirm: "Security warnings detected. Do you want to proceed with installation?" +- Options: "Yes, install anyway" / "No, skip this skill" + +**If DANGEROUS (REJECT):** +- Display the critical security issues +- Refuse to install +- Explain why the skill is dangerous +- Do NOT provide an option to override for CRITICAL severity issues + +### Step 7: Install Skills + +For approved skills, install to `~/.claude/skills/`: + +1. Create the skill directory: `~/.claude/skills/{skill_name}/` +2. Write all skill files maintaining the directory structure +3. Ensure proper file permissions (executable for scripts) +4. Verify SKILL.md exists and has valid frontmatter + +Use the Write tool to create files. + +### Step 8: Confirmation + +After installation, provide a summary: +- List of successfully installed skills +- List of skipped skills (if any) with reasons +- Location: `~/.claude/skills/` +- Next steps: "The skills are now available. Restart Claude or use them directly." + +## Example Usage + +**User:** "Install skills from https://github.com/example/claude-skills" + +**Assistant:** +1. Fetches skills list from the repository +2. Presents available skills: "skill-a", "skill-b", "skill-c" +3. User selects "skill-a" and "skill-b" +4. Performs security scan on each skill +5. skill-a: SAFE - proceeds to install +6. skill-b: WARNING (makes HTTP request) - asks user for confirmation +7. Installs approved skills to ~/.claude/skills/ +8. Confirms: "Successfully installed: skill-a, skill-b" + +## Security Notes + +- **Never skip security scanning** - Always analyze skills before installation +- **Be conservative** - When in doubt, flag as WARNING and let user decide +- **Critical issues are blocking** - CRITICAL severity findings cannot be overridden +- **Transparency** - Always show users what was found during security scans +- **Sandboxing** - Remind users that skills run with Claude's permissions + +## Resources + +### references/security_scan_prompt.md + +Contains the detailed security analysis prompt template with: +- Complete list of security categories to check +- Output format requirements +- Example analyses for safe, suspicious, and dangerous skills +- Decision criteria for APPROVE/REJECT recommendations + +Load this file when performing security scans to ensure comprehensive analysis. diff --git a/skills/skill-install/references/security_scan_prompt.md b/skills/skill-install/references/security_scan_prompt.md new file mode 100644 index 0000000..0f86d27 --- /dev/null +++ b/skills/skill-install/references/security_scan_prompt.md @@ -0,0 +1,137 @@ +# Security Scan Prompt for Skills + +Use this prompt template to analyze skill content for security vulnerabilities before installation. + +## Prompt Template + +``` +You are a security expert analyzing a Claude skill for potential security risks. + +Analyze the following skill content for security vulnerabilities: + +**Skill Name:** {skill_name} +**Skill Content:** +{skill_content} + +## Security Analysis Criteria + +Examine the skill for the following security concerns: + +### 1. Malicious Command Execution +- Detect `eval()`, `exec()`, `subprocess` with `shell=True` +- Identify arbitrary code execution patterns +- Check for command injection vulnerabilities + +### 2. Backdoor Detection +- Look for obfuscated code (base64, hex encoding) +- Identify suspicious network requests to unknown domains +- Detect file hash patterns matching known malware +- Check for hidden data exfiltration mechanisms + +### 3. Credential Theft +- Detect attempts to access environment variables containing secrets +- Identify file operations on sensitive paths (~/.ssh, ~/.aws, ~/.netrc) +- Check for credential harvesting patterns +- Look for keylogging or clipboard monitoring + +### 4. Unauthorized Network Access +- Identify external network requests +- Check for connections to suspicious domains (pastebin, ngrok, bit.ly, etc.) +- Detect data exfiltration via HTTP/HTTPS +- Look for reverse shell patterns + +### 5. File System Abuse +- Detect destructive file operations (rm -rf, shutil.rmtree) +- Identify unauthorized file writes to system directories +- Check for file permission modifications +- Look for attempts to modify critical system files + +### 6. Privilege Escalation +- Detect sudo or privilege escalation attempts +- Identify attempts to modify system configurations +- Check for container escape patterns + +### 7. Supply Chain Attacks +- Identify suspicious package installations +- Detect dynamic imports from untrusted sources +- Check for dependency confusion attacks + +## Output Format + +Provide your analysis in the following format: + +**Security Status:** [SAFE / WARNING / DANGEROUS] + +**Risk Level:** [LOW / MEDIUM / HIGH / CRITICAL] + +**Findings:** +1. [Category]: [Description] + - File: [filename:line_number] + - Severity: [LOW/MEDIUM/HIGH/CRITICAL] + - Details: [Explanation] + - Recommendation: [How to fix or mitigate] + +**Summary:** +[Brief summary of the security assessment] + +**Recommendation:** +[APPROVE / REJECT / APPROVE_WITH_WARNINGS] + +## Decision Criteria + +- **APPROVE**: No security issues found, safe to install +- **APPROVE_WITH_WARNINGS**: Minor concerns but generally safe, user should be aware +- **REJECT**: Critical security issues found, do not install + +Be thorough but avoid false positives. Consider the context and legitimate use cases. +``` + +## Example Analysis + +### Safe Skill Example + +``` +**Security Status:** SAFE +**Risk Level:** LOW +**Findings:** None +**Summary:** The skill contains only documentation and safe tool usage instructions. No executable code or suspicious patterns detected. +**Recommendation:** APPROVE +``` + +### Suspicious Skill Example + +``` +**Security Status:** WARNING +**Risk Level:** MEDIUM +**Findings:** +1. [Network Access]: External HTTP request detected + - File: scripts/helper.py:42 + - Severity: MEDIUM + - Details: Script makes HTTP request to api.example.com without user consent + - Recommendation: Review the API endpoint and ensure it's legitimate + +**Summary:** The skill makes external network requests that should be reviewed. +**Recommendation:** APPROVE_WITH_WARNINGS +``` + +### Dangerous Skill Example + +``` +**Security Status:** DANGEROUS +**Risk Level:** CRITICAL +**Findings:** +1. [Command Injection]: Arbitrary command execution detected + - File: scripts/malicious.py:15 + - Severity: CRITICAL + - Details: Uses subprocess.call() with shell=True and unsanitized input + - Recommendation: Do not install this skill + +2. [Data Exfiltration]: Suspicious network request + - File: scripts/malicious.py:28 + - Severity: HIGH + - Details: Sends data to pastebin.com without user knowledge + - Recommendation: This appears to be a data exfiltration attempt + +**Summary:** This skill contains critical security vulnerabilities including command injection and data exfiltration. It appears to be malicious. +**Recommendation:** REJECT +```