mamabearmehmi-hub/skill-sentry
Scan Claude MCP skills for security threats before you install. npx skill-sentry < your skills github url> free, open source, no code executed.
Platform-specific configuration:
{
"mcpServers": {
"skill-sentry": {
"command": "npx",
"args": [
"-y",
"skill-sentry"
]
}
}
}Add the config above to .claude/settings.json under the mcpServers key.
<p align="center"> <br /> <em>Scan Claude skills for security threats before you install them.</em> </p>
<p align="center"> <a href="#why-i-built-this">Why</a> · <a href="#what-it-does">What</a> · <a href="#getting-started">Get Started</a> · <a href="#how-it-works">How It Works</a> · <a href="#what-this-is--what-it-isnt">Limitations</a> · <a href="#contributing">Contribute</a> </p>
---
Every day I discover new skills and MCP servers that make building with Claude feel like a superpower. The community is incredible. People are shipping tools that turn Claude into a design partner, a database manager, a deployment engine.
But here's the thing that kept me up at night: every one of those skills asks you to run `npx` or `npm install`.
That means you're trusting someone else's code to run on your machine. With access to your files. Your environment variables. Your SSH keys. Your tokens.
I'm not a security expert. I'm a builder, just like you. But I know enough to be scared of a postinstall script that runs curl | bash before you even see what's inside. I've read the stories about supply chain attacks. I've seen what a single malicious package can do.
So I built myself a sentry.
Skill Sentry scans the code so you don't have to. It reads every file, checks for dangerous patterns, and gives you a risk score. All without ever executing a single line of the scanned code.
You're welcome to use it. I hope it helps keep us safe and lets us keep enjoying building beautiful things with Claude.
V | *Just a builder who wanted to feel safe clicking install*
---
**Skill Sentry is a zero-cost, open-source security scanner for
Loading reviews...