Security Verification Skill

Defense-in-depth security verification for Python packages and GitHub releases

Overview

This Claude skill provides comprehensive security verification before installing external dependencies, helping prevent supply chain attacks through:

✅ SLSA attestation verification (cryptographic build provenance)
✅ Multi-database vulnerability scanning (OSV, Safety DB, pip-audit)
✅ Typosquatting detection (PyPI metadata analysis)
✅ Checksum verification (SHA256 integrity checks)
✅ GitHub release validation (signatures and author verification)

Quick Install

Download the Skill

Download security-verification.skill (25 KB) from this distribution.

Install the Skill

# Navigate to your skills directory
cd ~/.claude/skills

# Extract the skill
unzip /path/to/security-verification.skill

# Verify installation
ls -la ~/.claude/skills/security-verification/

Add to PATH (Recommended)

# Add to ~/.zshrc or ~/.bashrc
echo '
# Security Verification Scripts
export PATH="$HOME/.claude/skills/security-verification/scripts:$PATH"' >> ~/.zshrc

# Reload shell
source ~/.zshrc

Install Security Tools

# Required for full verification coverage
pip install pip-audit safety

# Optional: GitHub CLI for release verification
brew install gh  # macOS
# or: sudo apt install gh  # Linux

Usage

Verify Python Package

verify-python-package.sh <package-name> [version]

# Examples:
verify-python-package.sh requests 2.32.4
verify-python-package.sh django 5.0.0
verify-python-package.sh numpy 1.26.0

Exit Codes:

0 = Safe to install (all checks passed)
1 = Do NOT install (vulnerabilities found)
2 = Manual review required (incomplete checks)

Verify GitHub Release

verify-github-release.sh <owner/repo> <tag> <asset-name>

# Example:
verify-github-release.sh \
  explosion/spacy-models \
  en_core_web_lg-3.8.0 \
  en_core_web_lg-3.8.0-py3-none-any.whl

Workflow Integration

# Always verify before installing
verify-python-package.sh flask 3.0.0

# If verification passes (exit code 0)
if [[ $? -eq 0 ]]; then
  pip install flask==3.0.0
else
  echo "❌ Installation blocked by security verification"
fi

What's Included

SKILL.md (16 KB) - Complete documentation with usage examples
scripts/verify-python-package.sh (5 KB) - Python package verification
scripts/verify-github-release.sh (7 KB) - GitHub release verification
references/INSTALLATION.md (16 KB) - Detailed installation guide
references/CODE-WEB-FULL-NETWORK-SETUP.md (14 KB) - Code Web configuration
references/README.md (11 KB) - Quick reference guide

Key Features

1. Python Package Verification (3 Layers)

[Step 1/3] pip-audit (OSV Database)
├─ Official Python security scanner
└─ Checks for known CVEs

[Step 2/3] safety (Safety DB)
├─ Community vulnerability database
└─ Additional CVE coverage

[Step 3/3] PyPI Metadata Analysis
├─ Typosquatting detection
└─ Author/maintainer validation

2. GitHub Release Verification (5 Layers)

[Step 1/5] SLSA Attestations
├─ Cryptographic build provenance
└─ Strongest verification method

[Step 2/5] Release Signatures
├─ GitHub "Verified" badge
└─ Author validation

[Step 3/5] Checksum Verification
└─ SHA256 integrity checks

[Step 4/5] OSV Database
└─ Known vulnerability checks

[Step 5/5] Security Summary
└─ Pass/fail determination

Real-World Example

Testing with a vulnerable package:

$ verify-python-package.sh requests 2.31.0

🔒 Python Package Security Verification
========================================
Package: requests==2.31.0

[Step 1/3] Checking with pip-audit (OSV database)...
❌ pip-audit: Vulnerabilities found
Found 2 known vulnerabilities:
- GHSA-9wx4-h78v-vm56 → Fix: 2.32.0
- GHSA-9hjg-9r4m-mvj7 → Fix: 2.32.4

[Step 2/3] Checking with safety (Safety DB)...
❌ safety: Vulnerabilities found
CVE-2024-35195: Session credential leak
CVE-2024-47081: .netrc credential leak

[Step 3/3] Checking package metadata...
✅ Package found on PyPI
   Author: Kenneth Reitz

❌ VERIFICATION FAILED
   Do NOT install this package without manual security review

Exit code: 1 (blocked installation)

Claude Code Web Support

The skill includes comprehensive Code Web integration documentation for working with Full network mode and verifying external assets in ephemeral containers.

See references/CODE-WEB-FULL-NETWORK-SETUP.md for complete setup instructions.

CI/CD Integration

The skill includes ready-to-use:

GitHub Actions workflow templates
Pre-commit hook examples
Batch verification scripts

See SKILL.md for implementation details.

Troubleshooting

Script Not Found

# Add to PATH
export PATH="$HOME/.claude/skills/security-verification/scripts:$PATH"

# Make permanent in ~/.zshrc or ~/.bashrc

Tools Not Installed

pip install pip-audit safety
gh --version  # Verify GitHub CLI

Permission Denied

chmod +x ~/.claude/skills/security-verification/scripts/*.sh

Documentation

After installation, view complete documentation:

# Main skill documentation
cat ~/.claude/skills/security-verification/SKILL.md

# Installation guide
cat ~/.claude/skills/security-verification/references/INSTALLATION.md

# Code Web setup
cat ~/.claude/skills/security-verification/references/CODE-WEB-FULL-NETWORK-SETUP.md

Additional Resources

Repository: https://github.com/Token-Eater/claude-harness
Installation Gist: https://gist.github.com/Token-Eater/a4d1d6ce67e8450e1a8f456b468e3599
pip-audit: https://pypi.org/project/pip-audit/
safety: https://pyup.io/safety/
SLSA Framework: https://slsa.dev/
OSV Database: https://osv.dev/

Security Philosophy

Defense-in-Depth: Multiple independent verification layers ensure an attacker must defeat multiple security controls simultaneously.

Attestation-First: SLSA attestations provide the strongest verification through cryptographic build provenance.

Zero Trust: All external dependencies are untrusted until verified through multiple security checks.

Version: 1.0.0 Last Updated: 2025-11-05 Maintained By: Kieran Steele (Token-Eater) License: MIT Skill Size: 25 KB (packaged)

Token-Eater/SECURITY-VERIFICATION-SKILL-README.md

Select an option

No results found