SkillVault is the 40+ skills that survived. Hand-tested, dependency-pinned, license-clean, prompt-injection-scanned. For Claude Code, Cursor, Codex, and Gemini CLI. One payment, lifetime access.
how to audit an AI agent skill.
The skill marketplaces have a security problem. #
In February 2026, Snyk security researchers scanned the public Claude Code skill ecosystem. They did not like what they found.
What you get. #
40+ skills across coding, security, data, docs, ops, marketing, research, and design. Every single one has gone through the seven point audit below.
The seven point audit, every skill
Prompt injection scan
License check
Dependency vulnerabilities
Network call audit
Secret and token exfiltration risk
Sandbox vs. real env behavior
Maintenance signal
Sample audit report
skill: repo-architect
version: 1.4.2 (pinned, forked to skillvault/repo-architect)
license: MIT PASS
deps: 3 pinned, 0 vulns PASS
net calls: 1 outbound (github.com api) PASS
prompt-inj: 0 hits across 412 payloads PASS
secrets: reads CLAUDE_PROJECT_DIR only PASS
sandbox vs real: identical side effects PASS
maint: last commit 9d, 6 open / 102 closed PASS
verdict: SHIPPED in SkillVault v1, category Coding
Pricing. #
One payment. Lifetime updates. Private GitHub repo access.
- 40+ audited skills, all 4 IDEs
- Lifetime updates
- Private GitHub repo invite
- Audit PDF on every skill
- Everything in Launch
- Quarterly re-audit reports
- Priority on new skill requests
- Bug bounty rewards eligibility
- Everything in Standard
- Private Discord with the auditor
- Vote on next skills to audit
- First access to new packs
+ $49 add-on, monthly skill drops. Five newly audited skills every month, dropped into the same private repo. Cancel any time. Available as an order bump at checkout.
All tiers, 14 day no-questions refund. If a shipped skill is ever found to have a vulnerability, we publish the disclosure publicly within 48 hours and pay $200 to the reporter.
FAQ. #
Why should I trust this audit? #
The methodology document is published in full and free. The kill list is included. Every skill in the pack is forked into the SkillVault GitHub org so the upstream cannot be silently mutated. Bug bounty pays $200 cash for any real vulnerability found in a shipped skill.
Does this work with Cursor and Codex, not just Claude Code? #
Yes. Anthropic released the Skills format as an open standard in December 2025. The same SKILL.md works in Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and Windsurf. Each skill in the pack is tagged with the IDEs it was tested in.
How is this different from just down skills from GitHub? #
You can absolutely do that. You will also be the one running the audit. The Snyk study found 13.4% of public skills carry critical issues. SkillVault is the bundle where someone else did the unglamorous work for you.
What happens when new skills appear? #
Standard and Pro tiers get the quarterly re-audit. The $49 monthly drops bump adds five newly audited skills per month. All updates ship to the same private repo, no extra payment.
Refund policy? #
14 days, no questions, email reply. We keep the email list so we can warn buyers if a shipped skill is later found compromised. That is the only thing we use the list for.
Want a heads-up when v2 of the bundle drops? #
v2 ships in Q3 2026: every v1 skill re-audited against new CVEs, plus ~15 new skills across data, infra, and security categories. Soft secondary capture, no purchase implied.