Audit AI skill safety — CLI + MCP server for static, semantic, and adversarial skill audits across Claude Code, Cursor, Codex, and OpenCode.
Project description
TAR Engine — audit AI skill safety from Claude Code, Cursor, Codex CLI
Audit AI skill safety without leaving your editor or your CI pipeline.
TAR Engine exposes its skill audit pipeline two ways: a tar-engine CLI for
CI, and an MCP server so any MCP-compatible agent — Claude Code, Cursor,
Codex CLI — can call the audit pipeline directly from a conversation.
Five skill formats supported out of the box: SKILL.md, .claude/commands/*.md,
Codex skill.yaml, manifest.json, OpenCode opencode.json.
What you get
Two surfaces ship in the same tar-engine package:
tar-engine— a one-shot CLI that walks a directory, audits every skill it finds, and exits with a CI-friendly status code. Drop it into GitHub Actions or a pre-commit hook to fail builds with risky skills.tar-engine-mcp— the MCP server below (bundled), for interactive use from Claude Code / Cursor / Claude Desktop.
Both talk to the same backend (default https://tarai.dev, override with
TAR_ENGINE_URL).
CLI quick start
# scan a directory of skills, fail the build if any score is below 70
tar-engine scan ./skills --min-score 70
# list discovered skills without running the audit
tar-engine list ./skills
# JSON output for downstream processing
tar-engine scan ./skills --json
Discovery covers five formats out of the box:
| File pattern | Format |
|---|---|
**/SKILL.md |
OpenClaw, Claude Code, generic md |
**/.claude/commands/*.md |
Claude Code custom commands |
**/skill.yaml / .yml |
Codex |
**/manifest.json |
Codex / Claude Code (key-detected) |
**/opencode.json |
OpenCode |
Each skill's audit payload includes its primary file plus sibling
.sh / .py / .js / .ts / .yaml / .json helper files in the same
directory tree (capped at 200 KB total). This catches the "SKILL.md
looks clean but install.sh does the dirty work" pattern.
CI integration
GitHub Actions — fail the build if any skill scores below 70:
- name: Audit AI skills
run: |
pipx install tar-engine
tar-engine scan ./skills --min-score 70 --format sarif -o results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
Pre-commit hook (.git/hooks/pre-commit):
#!/usr/bin/env bash
tar-engine scan ./skills --min-score 80 --strict || exit 1
The exit code is 0 on success, 1 when any skill is below the
--min-score threshold or --strict finds any warning+ severity
finding, and 2 for usage errors / missing path.
Optional defense in depth — if shellcheck / semgrep / trufflehog /
gitleaks are installed locally, tar-engine scan orchestrates them
alongside the backend audit pipeline and surfaces their findings under
the same schema. Run tar-engine check-tools to see which are available
and how to install the rest.
MCP tools (the LLM invokes these on its own when the user describes audit intent):
audit_skill_text(skill_text, lang?, domain?)— audit a SKILL.md you have in hand. Returns structured findings with rule_id, severity, line-level evidence, category, and remediation hints.audit_skill_url(url, lang?, domain?)— fetch a SKILL.md from a URL and audit it.list_audit_rules(category?, lang?)— list the rule registry the pipeline applies (PI-, SS-, FA-, DE-, CE-, MP-, SEM-, AR- prefixes).get_audit_baseline(skill_name, limit?)— historical audit records and trend for a named skill.
Prompts (slash commands users can trigger explicitly):
audit-skill— audit a SKILL.md (paste text or URL)audit-best-practices— the three defensive constraints every SKILL.md should include before publishingaudit-trend— show how a skill's audit score has changed over time
Configure your client
Claude Code
Add to ~/.config/claude-code/mcp.json:
{
"mcpServers": {
"tar-engine": {
"command": "docker",
"args": [
"exec", "-i",
"tar-engine-oss",
"python", "/app/mcp-server/tar_engine_mcp.py"
]
}
}
}
Restart Claude Code. Available commands:
- Type
/to seeaudit-skill,audit-best-practices,audit-trend - Or just say "audit my SKILL.md" and Claude will call the right tool
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json
(macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"tar-engine": {
"command": "docker",
"args": [
"exec", "-i",
"tar-engine-oss",
"python", "/app/mcp-server/tar_engine_mcp.py"
]
}
}
}
Cursor
Settings → MCP → Add Server → use the same docker exec command.
Run directly (without docker)
If you run the engine locally without docker:
TAR_ENGINE_URL=http://localhost:8765 \
python -m pip install mcp httpx
TAR_ENGINE_URL=http://localhost:8765 \
python mcp-server/tar_engine_mcp.py
Then in your client config, point command at this script directly.
Environment
The MCP server reads:
TAR_ENGINE_URL(defaulthttp://localhost:8765) — base URL of the running engineTAR_ENGINE_TIMEOUT(default180) — per-request timeout in seconds. Full-stack audit (L1 + L3 + L4) routinely takes 30-60s; default leaves headroom.OPENAI_API_KEY/OPENAI_BASE_URL/OPENAI_MODEL— forwarded to the engine for the semantic (L3) and adversarial-fuzz (L4) layers. Without these the audit still runs L1 (regex) but skips L3/L4.
Example user flows
Audit a skill you're writing. Open Claude Code in a project that has
a SKILL.md. Ask "audit this skill for security issues." Claude reads the
file, calls audit_skill_text, and walks you through findings with line
numbers and fix suggestions.
Check a community skill before installing. "Audit
github.com/someone/cool-skill SKILL.md." Claude calls audit_skill_url
with the raw URL, returns findings, you decide whether to install.
See your audit trend. After running audits on the same SKILL.md
multiple times, "show me the trend for my-skill." Claude calls
get_audit_baseline and reports mean/stddev/trend plus rule_ids that keep
recurring.
Learn the defensive pattern. Type /audit-best-practices. Get the
three-line SKILL.md prefix that closes the W23 edition's worst attack
class (encoded-instruction injection that succeeded against 5 of 5
Anthropic-official skills).
Historical baseline persistence
Every audit triggered through the MCP server lands in the same
cockpit_audit_history table the web endpoint writes to. The baseline you
see via get_audit_baseline accumulates across all paths — MCP, CLI, web,
direct HTTP. Same skill, same identity, one trend.
Set no_history: true in the audit body when you want a one-off audit
that doesn't pollute the baseline (e.g. auditing a third-party skill you
don't own).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tar_engine-0.3.2.tar.gz.
File metadata
- Download URL: tar_engine-0.3.2.tar.gz
- Upload date:
- Size: 35.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
90e22340dd56e7788768aeccfe5229a4631c47809ba2b7fcddff4002b6e37b55
|
|
| MD5 |
025e2dfd0723b580cad87d83398ba6ec
|
|
| BLAKE2b-256 |
e2312fab997285f688591c3ff1918637a33446ddaaf361b59105318765b906d5
|
File details
Details for the file tar_engine-0.3.2-py3-none-any.whl.
File metadata
- Download URL: tar_engine-0.3.2-py3-none-any.whl
- Upload date:
- Size: 31.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
26ef14337ccd76932b7c8ef2aeb41725df1e69287903372482c92f5753e4315d
|
|
| MD5 |
60ff9733485ed469148a142b0a3a65f5
|
|
| BLAKE2b-256 |
cc9bcc7aa8ae47e92a5d43047924e28544be901cc24c3b74ebf904c75a3bb3af
|