36.82%. That's the percentage of publicly available AI agent skills that contain security flaws, according to Snyk's ToxicSkills research - the first comprehensive security audit of the AI agent skills ecosystem.
Snyk's team scanned 3,984 skills from ClawHub and skills.sh, the two largest repositories where developers share and download SKILL.md files for tools like Claude Code and Cursor. The results should make anyone who has casually installed third-party skills uncomfortable.
The Numbers
Of the 3,984 skills scanned:
- 1,467 skills (36.82%) have security flaws of any severity
- 534 skills (13.4%) contain at least one critical-level vulnerability
- 76 confirmed malicious payloads were detected through manual review
- 8 malicious skills were still publicly available on ClawHub at the time of publication
The most common vulnerability is prompt injection (a technique where hidden instructions in a skill override what the AI agent is supposed to do), present in 91% of confirmed malicious skills and 2.6% of the full ecosystem. But the nastier finds go well beyond prompt tricks.
What the Malicious Skills Actually Do
Snyk's researchers identified three main attack patterns in the wild:
Credential theft via obfuscation. Malicious skills encode data-stealing commands in Base64 (a way of disguising text so it doesn't look like code at a glance), making them hard to spot in a quick review. These grab API keys, tokens, and passwords from the developer's environment.
External malware downloads. Some skills pull password-protected ZIP files from untrusted servers. Because the download happens during skill execution, the developer may never see it.
Persistent backdoors. The most sophisticated payloads modify system services to survive reboots, effectively installing a permanent backdoor on the developer's machine.
Snyk identified specific threat actors behind clusters of these attacks. A user called "zaycv" published over 40 programmatic malicious skills. Another account, "Aslaep123," targeted developers working on cryptocurrency and trading projects.
The Supply Chain Problem Nobody Planned For
This mirrors what happened with npm packages and VS Code extensions before them - open ecosystems attract bad actors, and the tooling to detect them always lags behind adoption. The difference is that AI agent skills have unusually broad permissions. A SKILL.md file can instruct an AI agent to read files, execute shell commands, and make network requests. That's a lot of surface area for a plain-text file that anyone can upload to a public repository.
10.9% of all scanned skills expose secrets like API keys or credentials. 17.7% pull in third-party content without disclosure. These aren't theoretical risks - they're live on public repositories right now.
The practical takeaway: treat third-party skills like you'd treat any unsigned code from the internet. Read the SKILL.md before installing. Check what shell commands it can trigger. And if a skill asks to download external files or modify system services, that's a red flag worth investigating before you give it access to your codebase.