Skill Audit Report

completeness (50%)

• Has description
• Has 10 steps

• Add usage examples showing how to invoke this skill
• Add gotchas/caveats to warn about common failure points
• Define input parameters if the skill accepts any

clarity (80%)

• Step count (10) is ideal
• Language is concrete and specific

• Description is very long — consider trimming to under 200 characters

actionability (25%)

• No inputs defined (not always needed)

• Start each step with an action verb (Run, Check, Verify, etc.)
• Reference specific tools or commands in steps (e.g. `git diff`, Grep)

safety (5%)

• Add gotchas/caveats to warn about common failure points
• Add specific gotchas (describe what can go wrong and why)
• Address what happens when things go wrong (errors, failures, retries)

testability (0%)

• Add examples showing how to use this skill
• Add examples with concrete parameter values
• Add examples that describe expected outcomes

trust (0%)

• CRITICAL: 19 suspicious pattern(s) found — review carefully before use

• [EXFILTRATION] Posts data to external URL
• [EXFILTRATION] May leak secrets
• [EXFILTRATION] May leak secrets (credential in output)
• [EXFILTRATION] May exfiltrate environment variables
• [EXFILTRATION] Encoded data exfiltration
• [EXFILTRATION] Accesses SSH keys
• [EXFILTRATION] Accesses AWS credentials
• [EXFILTRATION] Reads secret/key files
• [EXFILTRATION] References crypto wallet/keys
• [EXFILTRATION] Reverse shell via bash /dev/tcp
• [EXFILTRATION] Printing credentials (credential logging)
• [EXFILTRATION] Credentials in curl -u argument (visible in process list)
• [OBFUSCATION] Decodes and executes hidden commands
• [SECRET] Possible hardcoded API key or token
• [SUSPICIOUS_URL] Pipe from URL to shell (remote code execution)
• [SUSPICIOUS_URL] Direct IP address (no DNS = suspicious)
• [PERSISTENCE] Appending to authorized_keys — backdoor installation
• [HIJACKING] Cryptocurrency miner (xmrig)
• [HIJACKING] Mining pool connection (stratum protocol)