# Claude skills bundle where each skill ships with its audit report > Source: > Published: 2026-05-27 14:27:20+00:00 # I audited 200 Claude Code skills. *26 of them were trying to steal your tokens.* SkillVault is the 40+ skills that survived. Hand-tested, dependency-pinned, license-clean, prompt-injection-scanned. For Claude Code, Cursor, Codex, and Gemini CLI. One payment, lifetime access. [Get the methodology PDF](/skillvault-audit-methodology.pdf) [how to audit an AI agent skill](/blog/how-to-audit-an-ai-agent-skill). ## The skill marketplaces have a security problem. In February 2026, Snyk security researchers scanned the public Claude Code skill ecosystem. They did not like what they found. ## What you get. 40+ skills across coding, security, data, docs, ops, marketing, research, and design. Every single one has gone through the seven point audit below. ### The seven point audit, every skill **Prompt injection scan** **License check** **Dependency vulnerabilities** **Network call audit** **Secret and token exfiltration risk** **Sandbox vs. real env behavior** **Maintenance signal** ### Sample audit report ``` skill: repo-architect version: 1.4.2 (pinned, forked to skillvault/repo-architect) license: MIT PASS deps: 3 pinned, 0 vulns PASS net calls: 1 outbound (github.com api) PASS prompt-inj: 0 hits across 412 payloads PASS secrets: reads CLAUDE_PROJECT_DIR only PASS sandbox vs real: identical side effects PASS maint: last commit 9d, 6 open / 102 closed PASS verdict: SHIPPED in SkillVault v1, category Coding ``` ## Pricing. One payment. Lifetime updates. Private GitHub repo access. - 40+ audited skills, all 4 IDEs - Lifetime updates - Private GitHub repo invite - Audit PDF on every skill [Get launch price](https://buy.stripe.com/8x2fZh5VSb2QgTc7C70Jq02?utm_source=hub&utm_medium=venture-route&utm_campaign=skillvault&utm_content=pricing-launch&vl_origin=skillvault) - Everything in Launch - Quarterly re-audit reports - Priority on new skill requests - Bug bounty rewards eligibility [Get standard](https://buy.stripe.com/5kQ3cv2JG0oc6ey8Gb0Jq03?utm_source=hub&utm_medium=venture-route&utm_campaign=skillvault&utm_content=pricing-standard&vl_origin=skillvault) - Everything in Standard - Private Discord with the auditor - Vote on next skills to audit - First access to new packs [Get Pro](https://buy.stripe.com/9B66oH1FC3Ao46qf4z0Jq04?utm_source=hub&utm_medium=venture-route&utm_campaign=skillvault&utm_content=pricing-pro&vl_origin=skillvault) **+ $49 add-on, monthly skill drops.** Five newly audited skills every month, dropped into the same private repo. Cancel any time. Available as an order bump at checkout. All tiers, 14 day no-questions refund. If a shipped skill is ever found to have a vulnerability, we publish the disclosure publicly within 48 hours and pay $200 to the reporter. ## FAQ. ## Why should I trust this audit? The methodology document is published in full and free. The kill list is included. Every skill in the pack is forked into the SkillVault GitHub org so the upstream cannot be silently mutated. Bug bounty pays $200 cash for any real vulnerability found in a shipped skill. ## Does this work with Cursor and Codex, not just Claude Code? Yes. Anthropic released the Skills format as an open standard in December 2025. The same SKILL.md works in Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and Windsurf. Each skill in the pack is tagged with the IDEs it was tested in. ## How is this different from just downloading skills from GitHub? You can absolutely do that. You will also be the one running the audit. The Snyk study found 13.4% of public skills carry critical issues. SkillVault is the bundle where someone else did the unglamorous work for you. ## What happens when new skills appear? Standard and Pro tiers get the quarterly re-audit. The $49 monthly drops bump adds five newly audited skills per month. All updates ship to the same private repo, no extra payment. ## Refund policy? 14 days, no questions, email reply. We keep the email list so we can warn buyers if a shipped skill is later found compromised. That is the only thing we use the list for. ## Want a heads-up when v2 of the bundle drops? v2 ships in Q3 2026: every v1 skill re-audited against new CVEs, plus ~15 new skills across data, infra, and security categories. Soft secondary capture, no purchase implied.