Skills
Snyk ToxicSkills Study: 36.8% of Agent Skills Contain Security Flaws, 76 Confirmed Malicious Payloads Across ClawHub
Snyk completed the first comprehensive security audit of the AI agent skills ecosystem, scanning 3,984 skills from ClawHub and skills.sh. 13.4% (534 skills) contain critical-level issues including malware distribution and credential exfiltration; 36.82% have at least one security flaw. Five named threat actors were identified operating across platforms simultaneously, and 21% of malicious samples dynamically fetch and execute content from external endpoints at runtime — allowing post-publication behavior modification. Skills submissions jumped from under 50/day to over 500/day in weeks, mirroring npm's early supply-chain attack surface growth.
Source
↳ Follow the thread