Scan skills for prompt injection, data exfiltration, credential access, destructive commands, obfuscation, suspicious URLs, and broken local links. 100+ built-i
The Audit skill scans skills for security risks such as prompt injection, data exfiltration, credential access, destructive commands, obfuscation, suspicious URLs, and broken local links. It applies over 100 built-in rules across six analyzers to identify threats and vulnerabilities with severity levels ranging from informational to critical. This ensures skills meet security standards before installation or deployment, blocking or warning on findings based on configurable thresholds.
This skill is designed for performance marketers and agency strategists who manage or deploy custom skills in environments where security and compliance are critical. Growth leads overseeing integrations that handle sensitive user data or require reliable skill behavior will also benefit from using the Audit skill to prevent potential breaches or disruptions. SEO/PPC operators relying on third-party or community skills can use Audit to verify safety and maintain campaign integrity.
Practitioners typically start by running a full audit across all installed or candidate skills to get an overview of high-risk findings. Next, they scan specific skills or skill groups to pinpoint issues, adjusting thresholds or profiles to balance security with operational needs. Custom audit rules are created or modified to tailor scans for project-specific concerns, followed by reviewing detailed reports to decide on blocking or permitting installation. Lastly, the audit is integrated into install workflows to enforce security gates automatically.
How do I block installation on high-severity issues? Set the block threshold flag to `high` or use the `strict` profile to automatically block installations on high or critical findings. Can I audit only certain types of risks? Yes, you can restrict scans to specific analyzers like static or dataflow for targeted analysis. What if I want to skip auditing temporarily? Use the `--skip-audit` flag during install to bypass scanning, but this should be done cautiously.
Attach the Audit skill to any Metaflow agent task responsible for skill installation or updates to enforce security scanning automatically. When triggered, the agent runs the configured audit profile and blocks or warns based on detected risks and severity thresholds. This process helps maintain a secure skill environment without manual intervention, enabling safer scaling and deployment workflows. You can customize profiles and rules to fit your team’s security posture and compliance requirements.
For broader context, see our roundup of claude marketing skills, and read Claude Code workflows for marketing agencies for related setup guidance.