Security2026-06-20 · source-backed
SkillFortify documents a real campaign that pushed 1,200+ malicious skills into a public marketplace.
Story
The ClawHavoc campaign deployed the AMOS credential stealer through a skill marketplace, and the paper proposes capability-based sandboxing with a confinement proof plus a trust-score algebra (arXiv:2603.00195). An installed skill is executable third-party code sitting next to your credentials. We solved this for package managers with lockfiles, signatures, and scanning. The skills ecosystem has none of it yet. Confine by declared capability, gate on a trust score, stop running things because the README sounded nice.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entity: README / Same source domain / Shared topic / Earlier coverage / Tension
Architecture Descriptors Cut AI Coding Agent Navigation by 33-44%: 7,012 Claude Code Sessions Analyzed
Both cover README; reported by the same outlet (arxiv.org); overlapping topics (code, document).
Shared entity: AMOS / Shared topic / Earlier coverage
ClawHavoc Poisons ClawHub with 1,184 Malicious Skills: SKILL.md Poisoning Delivers macOS Stealer to 300,000+ Users
Both cover AMOS; overlapping topics (clawhavoc, code, credential, skill); earlier AMOS coverage from 2026-03-16.
Shared entity: SkillFortify / Same source / Earlier coverage
Sleeper Cell Backdoors in Fine-Tuned Models: Poisoned LoRAs Pass All Benchmarks
Both cover SkillFortify; cite the same source (arXiv:2603.00195); earlier SkillFortify coverage from 2026-03-05.
Research Papers
Both cover SkillFortify; cite the same source (arXiv:2603.00195); earlier SkillFortify coverage from 2026-03-05.
Same source domain / Shared topic
AgentSkillOS: Skill Orchestration at Ecosystem Scale
Reported by the same outlet (arxiv.org); overlapping topics (capability, code, ecosystem, skill).
Shared entity: README / Same source domain / Earlier coverage
Your CLAUDE.md is doing something. Whether it helps depends entirely on how you wrote it.
Both cover README; reported by the same outlet (arxiv.org); earlier README coverage from 2026-06-14.
Your AI-Written Code Works. Its Dependencies Don't.
Both cover README; reported by the same outlet (arxiv.org); earlier README coverage from 2026-05-08.
Shared entity: README / Shared topic / Earlier coverage
Addy Osmani Open-Sources 19 Google Engineering Practices as AI Agent Slash Commands
Both cover README; overlapping topics (code, skill); earlier README coverage from 2026-04-11.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 20, 2026
- AI generated
- no
- Story unit
- 2026-06-20-skillfortify-documents-a-real-campaign-that-pushed-1-200-malicious-skills-into-a-public-marketpl
- Labels
- source-backed, canonical briefing excerpt