The Skill Security Vendor Pack is an auditing skill that scans skill folders to identify security risks, packaging defects, and marketplace-readiness gaps. It is intended for developers and agencies building skills for AI marketplaces who need to validate packages before commercial distribution or client delivery. The skill replaces manual checklists with an automated, script-based review process. It audits permissions to detect high-risk or over-scoped entries that might block marketplace approval. It performs pattern matching to flag suspicious code patterns or shell execution risks that require manual verification. It validates packaging by checking for missing configuration files, metadata inconsistencies, and directory structure errors. The analysis runs in zero-dependency Python so it can be included in CI/CD pipelines or local development workflows. The skill generates developer-friendly JSON data alongside client-ready Markdown reports. It follows a strict output contract so that every report is structured for professional use and delivers evidence-backed flags rather than generic warnings, allowing teams to fix issues before a marketplace denies approval.
Skill Security Vendor Pack
Audit AI agent skills for security risks, packaging errors, and marketplace readiness with professional reports.
Install
cmdop skills install agensi-skill-security-vendor-pack
Use cases
- Audit a skill folder for over-scoped permissions before submitting to an AI marketplace
- Flag suspicious code patterns and shell execution risks in an agent skill package
- Validate that a skill package contains complete metadata and correct directory structure
- Generate a JSON audit report for developer review and a Markdown report for client delivery
- Integrate skill validation into a CI/CD pipeline with zero-dependency Python
- Catch missing configuration files that would block marketplace approval
When to use it
- You publish skills to AI marketplaces and need automated pre-flight checks.
- You deliver agent skills to clients and must provide evidence-backed audit reports.
- You want to replace manual security checklists with a repeatable script.
- You need a portable audit tool that runs in CI/CD without extra dependencies.
- You review skill packages for packaging errors and permission scope risks.
When not to use it
- You need run-time security monitoring of a deployed agent rather than static package analysis.
- You require auditing of compiled binaries or container images instead of skill folders.
- You cannot execute Python scripts in your environment.
- You are looking for a general-purpose vulnerability scanner for operating systems or networks.
- You need real-time interactive debugging of a skill rather than an automated report.