If you’re installing skills for Claude Code, Cursor, or OpenClaw, there’s something you need to know before your next installation: a comprehensive security audit of the AI agent skills ecosystem found that 1 in 7 skills contains at least one critical security issue — and the attacks look nothing like traditional malware.
In February 2026, researchers from Snyk published ToxicSkills, the first large-scale security study of the AI agent skills supply chain. They scanned 3,984 skills from ClawHub and skills.sh, and confirmed 76 malicious payloads through manual verification. If you expand to any severity level, more than a third of the ecosystem — 36.82% of skills — has at least one security issue: from hardcoded API keys to dangerous exposure of third-party content.
What makes this worse: your traditional security scanner won’t detect most of this.
A supply chain problem you’ve seen before
If you were around for the first wave of npm malware, this pattern feels familiar. Open registry. Minimal vetting. Rapid growth that attracts malicious actors. The difference here is that AI agent skills don’t just execute code with your privileges — they also load natural language instructions directly into your agent’s context. That creates two completely different types of attacks.
Two archetypes: Data Thieves and Agent Hijackers
Researchers from Carnegie Mellon (arXiv:2602.06547) analyzed 98,380 skills across two community registries and found that malicious ones clearly divide into two profiles:
Data Thieves (70.5% of confirmed malicious skills)
These skills behave normally on the surface while exfiltrating your credentials in the background. Their techniques include:
- Installing dependencies that send data to external servers
- Making POST requests to external URLs with your environment variables
- Silently reading
~/.ssh/id_rsa,~/.aws/credentials, or.envfiles - Using Base64 encoding or marshal/pickle serialization to hide exfiltration logic
One confirmed skill, AI Truthfulness Enforcer (smp_2663), disguises itself as a security tool while deploying five distinct instruction override patterns, all critical severity. Another (Plan Refine, smp_9014) executes a model-level man-in-the-middle attack — routing all Claude API calls through a proxy controlled by the attacker. Every prompt, code snippet, and business document you send passes through their server.
Agent Hijackers (10.2% of confirmed malicious skills)
These don’t steal data — they subvert the agent’s decision-making. They embed instructions that tell your AI what to do at runtime, overwriting your actual intent. Techniques include:
- Instruction overrides (60 instances found)
- Security bypass patterns (35 instances)
- Coercive language that forces specific behaviors (33 instances)
- Secrecy instructions that tell the agent to hide what it’s doing (20 instances)
- Autonomy overrides and silent operation modes
The attack is social engineering, but directed at the AI, not you.
Why traditional scanners miss 84% of the problem
This is the finding that should recalibrate how you think about this threat: 84.2% of vulnerabilities live in natural language documentation, not in code. Malicious instructions are written in prose inside SKILL.md files or in instruction sets. VirusTotal, static analyzers, and most registry scanners are looking at code — they’re completely blind to this attack surface.
SkillScan, a behavioral scanner built specifically for this problem, found threats in 16.9% of the 549 ClawHub skills it analyzed. VirusTotal detected none of them.
Researchers also documented “shadow features” — actual capabilities that are completely absent from a skill’s public description. The breakdown: undocumented network endpoints (47.2%), conditional triggers that activate under specific circumstances (18.4%), obfuscated code segments (11.0%), and instructions hidden in comments or markup (6.7%).
The scale of the problem
A single threat actor, identified as smp_170, is responsible for 54.1% of all confirmed malicious skills, using industrialized template-based attacks — essentially mass-producing malicious skills. This isn’t opportunistic. It’s organized.
At the time of study publication, 8 of the 76 confirmed malicious skills were still publicly available on clawhub.ai. Three CVEs directly affecting Claude Code (CVE-2026-25723, CVE-2026-21852, CVE-2025-66032) were identified as part of the investigation.
What to do before your next skills installation
Before installing any skill:
1. Verify the source
Prefer skills from known developers with GitHub history, not anonymous submissions. Review the current SKILL.md and any included files before loading them.
2. Scan with a behavioral tool
SkillScan (skillscan.chitacloud.dev) can analyze skills before installation. It’s not perfect, but it detects what VirusTotal doesn’t.
3. Manually hunt for shadow features
Read the installation files. Does the skill describe network access it didn’t mention in the readme? Reference external URLs? Include conditional logic that only activates under certain conditions?
4. Check for hardcoded secrets
Scan for patterns like OPENAI_API_KEY, AWS_SECRET, or any environment variable reading followed by HTTP requests.
5. Check what privileges it requests
Skills run with developer-equivalent access to your file system, credentials, and APIs. A skill requesting broad file system access for a task that doesn’t require it is a red flag.
For teams using agentic tools:
Consider treating skill installation like dependency installation — review before adding, pin versions, and maintain an inventory of what’s installed. The supply chain risk here is real and active right now.
The bigger picture
The AI agent skills ecosystem is going through the same growing pains that npm, PyPI, and the Android Play Store went through. The difference is the attack surface is more dangerous: these skills run with your privileges, load instructions directly into the AI’s context, and most security tools can’t see the primary attack vector.
Researchers disclosed their findings responsibly. Registries are improving their vetting processes. Patches for Claude Code are in progress. But the fundamental tension — open ecosystems are valuable precisely because they’re open — won’t disappear.
Until the ecosystem matures, the safest posture is to install skills the same way you’d install an unknown dependency: with skepticism, verification, and awareness of what you’re actually running.
Sources: Snyk ToxicSkills study (February 2026), arXiv:2602.06547 — Carnegie Mellon Large-Scale Security Empirical Study (February 2026), SkillScan behavioral analysis data.