The sorry state of skill distribution

2026-06-03 · Source: The Trail of Bits Blog · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, long

Summary

Public skill marketplaces are being flooded with malicious skills that steal credentials, exfiltrate data, and hijack agents, yet current skill scanners are largely ineffective. Researchers bypassed ClawHub's malicious skill detector, Cisco's agent skill scanner, and all three scanners integrated into skills.sh. Attacks, some taking less than an hour to conceive, included prepending 100,000 newlines to confuse ClawHub's truncation, embedding malicious scripts in `.docx` files, and using `.pyc` (Python bytecode) poisoning against skills.sh and Cisco's scanner. A prompt injection attack also succeeded by using rhetorical misdirection to convince LLM analyzers. The analysis highlights that even legitimate skills, like Anthropic's MS Office skills, can exhibit suspicious behaviors (e.g., `LD_PRELOAD` an arbitrary binary) that scanners struggle to differentiate from malicious intent.

Key takeaway

For AI Security Engineers or MLOps Engineers deploying agentic systems, relying on public skill marketplaces and automated skill scanners is a critical risk. These tools are easily bypassed by simple attacks like prompt injection or binary poisoning, even by legitimate-looking skills. You should instead implement strict internal curation for agent skills, pinning versions and controlling access. Treat all public skill repositories as untrusted code to prevent credential theft or data exfiltration.

Key insights

Public skill scanners are largely ineffective against malicious agent skills due to structural vulnerabilities and static analysis limitations.

Principles

• Skill scanners' static nature allows attackers unlimited attempts.
• Combining code, data, and natural language broadens attack surface.
• Trust models for public skill marketplaces are fundamentally broken.

Method

Bypasses involved prepending 100,000 newlines, embedding malicious scripts in `.docx` files, using `.pyc` poisoning, and crafting prompt injections with rhetorical misdirection to evade detection.

In practice

• Curate skill marketplaces for internal use.
• Pin agent skill dependencies to specific versions.
• Control who can introduce or update skills.

Topics

• Agentic Systems Security
• Skill Marketplaces
• Supply Chain Security
• Prompt Injection
• Static Analysis Bypass
• Malicious Skills

Code references

• openclaw/clawhub
• cisco-ai-defense/skill-scanner
• trailofbits/overtly-malicious-skills
• anthropics/skills
• trailofbits/skills-curated

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, AI Engineer, MLOps Engineer

Related on AIssential

• openclaw skills gave ai agents superpowers. lock them down. — OpenClaw skills, while powerful, pose significant supply chain risks due to their deep access and potential for hidden malicious instructions.
• When Safe Skills Collide: Measuring Compositional Risk in Agent Skill Ecosystems — Individually safe agent skills can compose into unsafe installed skill sets, posing a significant compositional security risk.
• ClawHub Security Signals: When VirusTotal, Static Analysis, and SkillSpector Disagree — AI agent skill security requires layered governance due to significant scanner disagreement across attack surfaces.
• Exploits of public-facing apps are surging. Why? — Cybersecurity threats are evolving with AI, yet basic hygiene and supply chain vulnerabilities remain critical attack vectors.
• The Security Architecture of GitHub Agentic Workflow — GitHub's Agentic Workflows employ a "distrustful" security architecture to safely integrate non-deterministic AI agents into CI/CD pipelines.
• AI tool poisoning exposes a major flaw in enterprise agent security — AI agent tool registries require behavioral integrity checks, not just artifact integrity, to counter sophisticated supply chain attacks.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Trail of Bits Blog.