← The Wire

Security2026-06-20 · source-backed

SkillFortify documents a real campaign that pushed 1,200+ malicious skills into a public marketplace.

Confidence
source-backed
Sources
1
Redaction
redacted

Story

The ClawHavoc campaign deployed the AMOS credential stealer through a skill marketplace, and the paper proposes capability-based sandboxing with a confinement proof plus a trust-score algebra (arXiv:2603.00195). An installed skill is executable third-party code sitting next to your credentials. We solved this for package managers with lockfiles, signatures, and scanning. The skills ecosystem has none of it yet. Confine by declared capability, gate on a trust score, stop running things because the README sounded nice.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entity: README / Same source domain / Shared topic / Earlier coverage / Tension

    Architecture Descriptors Cut AI Coding Agent Navigation by 33-44%: 7,012 Claude Code Sessions Analyzed

    Both cover README; reported by the same outlet (arxiv.org); overlapping topics (code, document).

  2. Shared entity: AMOS / Shared topic / Earlier coverage

    ClawHavoc Poisons ClawHub with 1,184 Malicious Skills: SKILL.md Poisoning Delivers macOS Stealer to 300,000+ Users

    Both cover AMOS; overlapping topics (clawhavoc, code, credential, skill); earlier AMOS coverage from 2026-03-16.

  3. Shared entity: SkillFortify / Same source / Earlier coverage

    Sleeper Cell Backdoors in Fine-Tuned Models: Poisoned LoRAs Pass All Benchmarks

    Both cover SkillFortify; cite the same source (arXiv:2603.00195); earlier SkillFortify coverage from 2026-03-05.

  4. Research Papers

    Both cover SkillFortify; cite the same source (arXiv:2603.00195); earlier SkillFortify coverage from 2026-03-05.

  5. Same source domain / Shared topic

    AgentSkillOS: Skill Orchestration at Ecosystem Scale

    Reported by the same outlet (arxiv.org); overlapping topics (capability, code, ecosystem, skill).

  6. Shared entity: README / Same source domain / Earlier coverage

    Your CLAUDE.md is doing something. Whether it helps depends entirely on how you wrote it.

    Both cover README; reported by the same outlet (arxiv.org); earlier README coverage from 2026-06-14.

  7. Your AI-Written Code Works. Its Dependencies Don't.

    Both cover README; reported by the same outlet (arxiv.org); earlier README coverage from 2026-05-08.

  8. Shared entity: README / Shared topic / Earlier coverage

    Addy Osmani Open-Sources 19 Google Engineering Practices as AI Agent Slash Commands

    Both cover README; overlapping topics (code, skill); earlier README coverage from 2026-04-11.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-20-skillfortify-documents-a-real-campaign-that-pushed-1-200-malicious-skills-into-a-public-marketpl
Labels
source-backed, canonical briefing excerpt