Claude skills bundle where each skill ships with its audit report

An audit of 200 Claude Code skills found 26 attempting to steal user tokens, prompting the launch of SkillVault, a bundle of 40+ hand-tested skills for Claude Code, Cursor, Codex, and Gemini CLI. Each skill ships with a seven-point audit report covering prompt injection, license checks, dependency vulnerabilities, network calls, secret exfiltration, sandbox behavior, and maintenance signals. The product offers lifetime access with tiered pricing, quarterly re-audits, and a $200 bug bounty for any vulnerability found in a shipped skill.

I audited 200 Claude Code skills. 26 of them were trying to steal your tokens. SkillVault is the 40+ skills that survived. Hand-tested, dependency-pinned, license-clean, prompt-injection-scanned. For Claude Code, Cursor, Codex, and Gemini CLI. One payment, lifetime access. Get the methodology PDF /skillvault-audit-methodology.pdf how to audit an AI agent skill /blog/how-to-audit-an-ai-agent-skill . The skill marketplaces have a security problem. In February 2026, Snyk security researchers scanned the public Claude Code skill ecosystem. They did not like what they found. What you get. 40+ skills across coding, security, data, docs, ops, marketing, research, and design. Every single one has gone through the seven point audit below. The seven point audit, every skill Prompt injection scan License check Dependency vulnerabilities Network call audit Secret and token exfiltration risk Sandbox vs. real env behavior Maintenance signal Sample audit report skill: repo-architect version: 1.4.2 pinned, forked to skillvault/repo-architect license: MIT PASS deps: 3 pinned, 0 vulns PASS net calls: 1 outbound github.com api PASS prompt-inj: 0 hits across 412 payloads PASS secrets: reads CLAUDE PROJECT DIR only PASS sandbox vs real: identical side effects PASS maint: last commit 9d, 6 open / 102 closed PASS verdict: SHIPPED in SkillVault v1, category Coding Pricing. One payment. Lifetime updates. Private GitHub repo access. - 40+ audited skills, all 4 IDEs - Lifetime updates - Private GitHub repo invite - Audit PDF on every skill Get launch price https://buy.stripe.com/8x2fZh5VSb2QgTc7C70Jq02?utm source=hub&utm medium=venture-route&utm campaign=skillvault&utm content=pricing-launch&vl origin=skillvault - Everything in Launch - Quarterly re-audit reports - Priority on new skill requests - Bug bounty rewards eligibility Get standard https://buy.stripe.com/5kQ3cv2JG0oc6ey8Gb0Jq03?utm source=hub&utm medium=venture-route&utm campaign=skillvault&utm content=pricing-standard&vl origin=skillvault - Everything in Standard - Private Discord with the auditor - Vote on next skills to audit - First access to new packs Get Pro https://buy.stripe.com/9B66oH1FC3Ao46qf4z0Jq04?utm source=hub&utm medium=venture-route&utm campaign=skillvault&utm content=pricing-pro&vl origin=skillvault + $49 add-on, monthly skill drops. Five newly audited skills every month, dropped into the same private repo. Cancel any time. Available as an order bump at checkout. All tiers, 14 day no-questions refund. If a shipped skill is ever found to have a vulnerability, we publish the disclosure publicly within 48 hours and pay $200 to the reporter. FAQ. Why should I trust this audit? The methodology document is published in full and free. The kill list is included. Every skill in the pack is forked into the SkillVault GitHub org so the upstream cannot be silently mutated. Bug bounty pays $200 cash for any real vulnerability found in a shipped skill. Does this work with Cursor and Codex, not just Claude Code? Yes. Anthropic released the Skills format as an open standard in December 2025. The same SKILL.md works in Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and Windsurf. Each skill in the pack is tagged with the IDEs it was tested in. How is this different from just downloading skills from GitHub? You can absolutely do that. You will also be the one running the audit. The Snyk study found 13.4% of public skills carry critical issues. SkillVault is the bundle where someone else did the unglamorous work for you. What happens when new skills appear? Standard and Pro tiers get the quarterly re-audit. The $49 monthly drops bump adds five newly audited skills per month. All updates ship to the same private repo, no extra payment. Refund policy? 14 days, no questions, email reply. We keep the email list so we can warn buyers if a shipped skill is later found compromised. That is the only thing we use the list for. Want a heads-up when v2 of the bundle drops? v2 ships in Q3 2026: every v1 skill re-audited against new CVEs, plus ~15 new skills across data, infra, and security categories. Soft secondary capture, no purchase implied.