Yi Liu and their team analyzed the skills ecosystem in their paper, "Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale."
First, what are agent skills? They utilize an open format that gives agents new capabilities and expertise through instructions, resources, and code.
Anthropic rightly warns us that Skills provide Claude with new capabilities through instructions and code. While this makes them powerful, it also means a malicious skill can direct an AI agent to invoke tools or execute code in ways that don't match the skill's stated purpose.
Pretty alarming findings from the researchers:
- Analyzed 31,132 skills from the SkillsREST and SkillsMP marketplaces
- 26.1% contained at least one vulnerable pattern
- Data exfiltration (13.3%) and privilege escalation (11.8%) were the most prevalent
- 5.2% had indicators of env var harvesting, credential access, hidden instructions, external script fetching, or obfuscated code
- Skills with scripts were 2.12x more likely to be vulnerable than instruction-only ones
My take:
- Agent skills in 2026 are like Chrome extensions in 2012, so things are bound to go south.
- Skills are quick to build and are getting adopted quickly; Google just announced Agent Skills in Antigravity.
- If your agent can install a skill that uses curl piped to bash, has unpinned dependencies, or reads ~/.ssh and env vars, there might already be a problem.
- "Audit [an agent skill] thoroughly before installing" is great, but theoretical, advice; we need a practical solution.
If you have practical suggestions for vetting skills in your environment, please
comment!
I know Justin Wetch has been working on something cool!
Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale