Agent Skills Security Audit Guide: How to Verify SKILL.md Files Before You Install

More than one in three community-published agent skills contains a security flaw. Of the 3,984 skills scanned by Snyk's ToxicSkills research across ClawHub and skills.sh, 1,467 (36.82%) carried at least one vulnerability. 534 of those (13.4% of the total pool) reached critical severity. Researchers confirmed 76 fully malicious payloads, with eight still live at publication (Snyk ToxicSkills).

Every single confirmed malicious skill combined two attack layers: traditional code-level payloads paired with prompt injection. The prompt injection primes the AI agent to accept and execute code that a human reviewer, or the agent's own safety mechanisms, would ordinarily flag. This dual-layer approach defeats both AI safety mechanisms and traditional static analysis tools.

48% of cybersecurity professionals identify agentic AI and autonomous systems as the single most dangerous attack vector (Bessemer Venture Partners). The skill ecosystem is expanding at speed. Registries are open. Trust signals are gameable. And the verification infrastructure lags behind the adoption curve.

This guide maps the full threat landscape, documents every known incident, and delivers a 15-point security audit checklist you can apply before installing any agent skill.

The Threat Landscape: Eight Vulnerability Types Every Developer Must Recognise

Agent skills combine executable code, natural-language instructions, and configuration files into a single artifact. Each layer opens a distinct attack surface. The fastest 25% of intrusions in 2025 reached data exfiltration in 72 minutes, down from 285 minutes the prior year (Palo Alto Networks Unit 42). The window between compromise and data loss is shrinking faster than most teams can respond. The following eight vulnerability categories cover the full threat landscape documented by security researchers as of April 2026.

1. Prompt Injection in SKILL.md Files

Attack vector: A SKILL.md file embeds malicious instructions in natural language. These instructions override the agent's intended behaviour, hijack its role, or jailbreak safety measures. Because SKILL.md files are plain Markdown, they bypass code review tool detection entirely.

Real example: Snyk researchers demonstrated that a SKILL.md file can grant shell access in three lines of Markdown. The file redirects the agent to execute arbitrary shell commands, exfiltrate files, or modify code in ways that remain hidden from the developer (Snyk, "From SKILL.md to Shell Access in Three Lines of Markdown").

Impact: Full agent hijacking. The skill controls the agent's behaviour during the entire session, including any tools the agent has access to (filesystem, terminal, network).

2. Configuration File Weaponisation

Attack vector: Repository-level configuration files (.cursorrules, CLAUDE.md, mcp.json, .vscode/tasks.json) execute code or alter agent behaviour when a developer opens or clones a project.

Documented CVEs:

CVE-2025-59944 (Cursor): A case-sensitivity bug allows a file named .Cursorrules to silently override .cursorrules on case-insensitive filesystems (Windows, macOS). The developer sees one configuration file; the agent follows a different one (Lakera).

CVE-2025-59536 (Claude Code, CVSS 8.7): MCP server configuration injection leads to remote code execution. Opening a conversation initialises all MCP servers by running commands from the config file (Check Point Research).

CVE-2026-21852 (Claude Code, CVSS 5.3): Overriding the ANTHROPIC_BASE_URL in project configuration files redirects all API communications to an attacker-controlled endpoint, exfiltrating the API key (Check Point Research).

CVE-2025-54135 (Cursor CurXecute): The mcp.json file auto-runs new MCP server entries on open, bypassing the confirmation prompt entirely (Security Boulevard).

Impact: Remote code execution on the developer's machine, credential theft, API key exfiltration.

3. Security Rules Bypass via Command Complexity

Attack vector: When a shell command contains more than 50 subcommands (joined by &&, ||, or ;), Claude Code skips all per-subcommand deny-rule enforcement and falls back to a generic prompt that can be auto-allowed.

Attack scenario: A malicious CLAUDE.md file embeds a build script with 51+ chained commands. Claude Code processes the chain as a single unit, and deny rules that would block individual subcommands are silently bypassed. Assets at risk include SSH private keys, AWS credentials, GitHub tokens, npm tokens, and environment secrets (Adversa AI).

Impact: Complete bypass of the platform's security enforcement layer. Any command the attacker embeds in the chain executes with full user privileges.

4. Silent Codebase Exfiltration

Attack vector: A skill packaged as a legitimate utility (testing helper, formatter, linter) silently reads and transmits the entire project codebase to attacker-controlled infrastructure.

Real-world proof: Mitiga Labs published a proof-of-concept skill to skills.sh, framed as a testing utility. They artificially inflated download counts to establish perceived legitimacy. Once installed, the skill weaponised a "Definition of Done" so the agent would faithfully push the entire local repository to an attacker's public branch. The complete exfiltration required only four user interactions, and the skill-audit.log remained entirely empty (Mitiga).

Impact: Full source code theft with zero audit trail.

5. Registry Poisoning and Skill Squatting (ClawHavoc)

Attack vector: Mass upload of malicious skills to public registries, using typosquatting (naming a malicious skill nearly identically to a popular one) and exploiting open-upload registration models.

Real-world incident: The ClawHub registry was systematically poisoned in what researchers named the ClawHavoc campaign. Koi Security initially identified 341 malicious entries. The count grew to 824+ across 10,700+ skills. CyberPress ultimately reported 1,184 malicious skills. At the peak of the infection, five of the top seven most-downloaded skills were confirmed malware. 335 of these skills installed the Atomic Stealer (AMOS) macOS infostealer via fake prerequisites (The Hacker News).

Impact: Thousands of developers exposed to credential-stealing malware through a trusted registry. Download-count reputation signals proved entirely unreliable as a trust mechanism.

6. MCP Tool Poisoning and Server Compromise

Attack vector: Malicious or manipulated MCP (Model Context Protocol) tool definitions that pass into AI agent contexts, resulting in unauthorised execution or data leakage. For a full visual breakdown of MCP protocol security, see the MCP Security Visual Audit.

Statistics: Endor Labs analysed 2,614 MCP implementations and found that 82% use file operations prone to path traversal, 67% use APIs related to code injection, and 34% use APIs susceptible to command injection (Endor Labs). Beyond individual implementation bugs, a design-level weakness in the MCP protocol itself affects 7,000+ servers and 150 million downloads, making MCP trust boundary revalidation a systemic concern (The Register).

CVE examples from Anthropic's own mcp-server-git (January 2026):

• CVE-2025-68143: git_init allowed repository creation at arbitrary filesystem paths
• CVE-2025-68145: Path arguments bypassed allowed scope boundaries
• CVE-2025-68144: User-controlled arguments passed to Git CLI with zero sanitisation

Over 30 CVEs were filed against MCP implementations in the first 60 days of 2026 alone. Across the broader MCP ecosystem, 50+ vulnerabilities have been tracked across servers, clients, and infrastructure, with 13 rated critical. Nine out of 11 MCP marketplaces were successfully poisoned in research (PipeLab).

Impact: Arbitrary code execution, credential theft, and lateral movement through developer environments.

7. Privilege Escalation (CVE-2026-32922, CVSS 9.9)

Attack vector: Exploiting flaws in agent platform APIs to escalate from limited to full administrative access.

Real-world CVE: CVE-2026-32922 in OpenClaw received a CVSS score of 9.9. The device.token.rotate function fails to constrain newly minted token scopes. A single API call converts a pairing token into full administrative control with remote code execution capability. The platform carries 340,000+ GitHub stars and 135,000+ exposed instances (ARMO).

Impact: Full administrative takeover of the agent platform, including the ability to execute arbitrary code on every connected instance.

8. Indirect Prompt Injection via External Content

Attack vector: Malicious instructions hidden in files, web pages, or command outputs that the agent reads during normal operation. The attacker operates indirectly, embedding payloads in content the agent processes as part of its workflow.

Attack scenario: A developer clones a seemingly helpful open-source library. Buried in a Markdown file or code comment are instructions that redirect the agent's behaviour when Claude Code reads the file. The instructions may exfiltrate code, modify security settings, or establish persistence for future sessions (Lasso Security).

Impact: Agent behaviour modification through content the developer considers trustworthy.

Real Incidents: Eight Documented Attacks

The threat categories above map directly to incidents that have already occurred. Each entry below names what happened, the measurable impact, and the resolution (where one exists).

Incident 1: ClawHavoc Registry Poisoning (February 2026)

What happened: Attackers systematically poisoned the ClawHub registry. The count rose from 341 to 1,184 confirmed malicious skills published to the platform. ClawHub allowed uploads from any GitHub account older than one week, providing a minimal barrier to entry.

Impact: Five of the top seven most-downloaded skills at peak infection were confirmed malware. 335 skills deployed the Atomic Stealer (AMOS) macOS infostealer through fake prerequisite installations, targeting developer credentials, browser sessions, and cryptocurrency wallets.

Resolution: ClawHub implemented stricter upload controls after the disclosure. Five named threat actors were identified operating across multiple platforms simultaneously (The Hacker News).

Incident 2: Mitiga Silent Exfiltration Proof of Concept

What happened: Mitiga Labs published a skill to skills.sh disguised as a testing utility. They artificially inflated the download count to create the appearance of community trust. The skill weaponised a "Definition of Done" instruction that directed the agent to push the entire local repository to an attacker-controlled public branch.

Impact: Complete codebase exfiltration in four user interactions. The skill-audit.log remained entirely empty throughout the operation, demonstrating that skills can bypass audit logging entirely.

Resolution: Published as a responsible disclosure to demonstrate the attack surface. The incident proved that reputation metrics (download counts, star ratings) provide zero reliable security signal (Mitiga).

Incident 3: Cursor Open-Folder Autorun

What happened: Cursor ships with Workspace Trust disabled by default. A malicious .vscode/tasks.json file placed in a cloned repository triggered silent code execution the moment a developer opened the folder.

Impact: Arbitrary code execution with zero user interaction beyond opening a project directory.

Resolution: Vulnerability disclosed via Oasis Security. The incident demonstrated that agent platforms inherit legacy IDE trust model weaknesses and amplify them with AI capabilities (Oasis Security).

Incident 4: Claude Code Config-Based RCE (CVE-2025-59536, CVSS 8.7)

What happened: Check Point Research discovered that malicious MCP server configuration entries in project files trigger arbitrary command execution. Opening a conversation in a cloned repository initialises all MCP servers by running commands defined in the configuration (Check Point Research).

Impact: Remote code execution on any developer who opens a conversation in a repository containing the malicious configuration.

Resolution: Anthropic patched the vulnerability. The CVE carries a CVSS score of 8.7, reflecting the ease of exploitation and the severity of the outcome.

Incident 5: Claude Code API Key Exfiltration (CVE-2026-21852, CVSS 5.3)

What happened: A project configuration file overrides the ANTHROPIC_BASE_URL environment variable, redirecting all Claude Code API communications to an attacker-controlled endpoint.

Impact: Complete API key exfiltration. Every request the developer makes through Claude Code is silently proxied through the attacker's server.

Resolution: Anthropic patched the configuration override mechanism (Check Point Research).

Incident 6: OpenClaw Privilege Escalation (CVE-2026-32922, CVSS 9.9)

What happened: The device.token.rotate function in OpenClaw failed to constrain newly minted token scopes. A single API call converted a limited pairing token into full administrative access with remote code execution capability.

Impact: 135,000+ exposed instances. Any attacker with a pairing token (a low-privilege credential distributed during device onboarding) could escalate to full platform control.

Resolution: OpenClaw released a patch. ARMO published the full disclosure, including scanning data showing the number of exposed instances (ARMO).

Incident 7: Supabase Cursor Agent Exploitation

What happened: A Cursor agent running with privileged service-role access processed support tickets containing user-supplied input. Attackers embedded SQL instructions in the support ticket text.

Impact: The agent executed the injected SQL, reading and exfiltrating sensitive integration tokens from the database. The agent's elevated privileges meant the injected queries had full read access to production data.

Resolution: The incident highlighted the intersection of excessive agent permissions and indirect prompt injection via user-controlled input (Practical DevSecOps).

Incident 8: mcp-remote Package Command Injection (CVSS 9.6)

What happened: A command injection vulnerability was discovered in mcp-remote, a widely used MCP connectivity package.

Impact: Over 437,000 downloads affected. The vulnerability carried a CVSS score of 9.6, reflecting the trivial exploitation difficulty and the severe potential impact across the MCP ecosystem.

Resolution: Patch issued. The incident underscored that MCP infrastructure components carry supply-chain risk equivalent to traditional package managers (PipeLab).

The 15-Point Security Audit Checklist

This checklist is the core deliverable. It organises into three phases: pre-installation checks (items 1 through 5), SKILL.md content review (items 6 through 10), and runtime controls (items 11 through 15). Apply all 15 items to every skill before it enters your project.

Phase 1: Pre-Installation Checks

1. Verify the skill author's identity. Confirm the publisher's GitHub account age, contribution history, and cross-reference with known publishers. The ClawHavoc campaign exploited ClawHub's open-upload model, which allowed any GitHub account older than one week to publish skills. Set a minimum account age threshold of 90 days. Flag accounts with single-purpose repositories or contribution histories that begin and end with skill publishing (Snyk ToxicSkills).

2. Validate registry integrity and reputation signals. Treat download counts, stars, and reputation scores as informational only. The Mitiga proof-of-concept demonstrated that these metrics can be artificially inflated. Five of the top seven most-downloaded ClawHub skills at peak infection were confirmed malware. Cross-reference popularity metrics against independent community discussion: forum threads, blog reviews, issue trackers (Mitiga).

3. Require cryptographic signatures. Use ed25519-signed skills where supported (OWASP Agentic Skills Top 10, category AST01). Validate the content_hash field in skill manifests before installation. A valid signature confirms the skill has arrived unmodified from the declared publisher. Unsigned skills require manual code review before any installation proceeds (OWASP AST01).

4. Audit dependency pinning. Confirm all skill dependencies are pinned to immutable hashes (OWASP AST07). Flag any skill using unpinned or floating version ranges (^, ~, *, latest). Floating ranges enable deferred dependency attacks where a benign dependency is later replaced with a malicious version (OWASP AST07).

5. Run automated scanning before installation. Pass every skill through Snyk Agent Scan or an equivalent tool before installation. Snyk's critical-level detectors achieve 90-100% recall on confirmed malicious skills with a 0% false positive rate on the top 100 legitimate skills. Treat any CRITICAL-level finding as a hard blocker. The free web interface at labs.snyk.io/experiments/skill-scan provides immediate results with zero configuration (Snyk Agent Scan).

Phase 2: SKILL.md Content Review

6. Search for dangerous command execution patterns. Scan every file in the skill for curl | bash, eval(), exec(), os.system(), shell=True, subprocess.run() with user input, and runtime download patterns. Benign skills rarely require direct command execution. Any pattern that downloads and executes code in a single step is a red flag (Snyk ToxicSkills).

7. Detect prompt injection indicators. Read the SKILL.md line by line, looking for role-override language ("ignore previous instructions", "you are now", "override your guidelines"), hidden instructions in HTML comments or zero-width Unicode characters, and any text that attempts to redirect agent behaviour. 91% of confirmed malicious skills use prompt injection as their primary attack vector (Snyk, "SKILL.md to Shell Access").

8. Flag data exfiltration vectors. Identify outbound network calls (HTTP requests, DNS queries, webhook posts), clipboard access, and any file-read operations targeting credential stores (~/.ssh, ~/.aws, ~/.config, ~/.npmrc, ~/.docker/config.json). The Mitiga exfiltration completed in four interactions and left zero audit trail (Mitiga).

9. Identify privilege escalation patterns. Flag any request for sudo or administrative access, attempts to modify system files, token scope widening, or instructions that ask the agent to run with elevated permissions. CVE-2026-32922 demonstrated that a single API call can escalate from a pairing token to full administrative control (ARMO).

10. Detect secret exposure risks. Search for hardcoded API keys, tokens, passwords, and any instruction that directs the agent to echo, print, log, or transmit credentials. Flag skills that request access to environment variables containing secrets (ANTHROPIC_API_KEY, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN). CVE-2026-21852 demonstrated API key exfiltration through environment variable manipulation (Check Point Research).

Phase 3: Runtime Controls

11. Enforce least privilege. Verify the skill requests only the minimum permissions it needs to function (OWASP AST03). A Markdown formatting skill has zero legitimate reason to request filesystem access beyond the target file or network access of any kind. The Supabase Cursor incident demonstrated the consequences of running agents with service-role access (OWASP AST03).

12. Run skills in sandbox isolation. Confirm skills execute in isolated environments with filesystem access scoped to the project directory and network access restricted to declared endpoints. Container-based isolation (Docker, Firecracker) provides the strongest boundary. When full container isolation is impractical, use filesystem restrictions (chroot or platform-native sandboxing) and network egress filtering to limit the blast radius of any compromised skill.

13. Verify audit logging completeness. Confirm all skill actions generate audit log entries. The Mitiga exfiltration proof-of-concept completed full codebase theft while the skill-audit.log remained entirely empty, demonstrating that skills can operate below the logging threshold. Test logging by running the skill in a controlled environment and verifying that every file read, file write, network call, and command execution appears in the audit trail (Mitiga).

14. Revalidate MCP trust boundaries. For skills that use MCP servers, verify that server configurations are re-validated on every use. Cursor's trust-once model (CVE-2025-54135) allows malicious MCP server entries to persist and execute, bypassing confirmation after the initial approval. Verify that MCP tool definitions match expected schemas, that server certificates are validated, and that tool descriptions have remained unchanged since the last review (PipeLab).

15. Apply compound command analysis. For platforms that process chained shell commands, verify that security analysis applies to each subcommand individually. Claude Code's 50-subcommand bypass demonstrates that complexity itself is an attack vector. Set a maximum chain length in your team's configuration (Adversa AI).

Frameworks and Tools for Ongoing Protection

Verification at scale requires tooling that most teams have yet to adopt. Manual audits catch known patterns, yet the volume of new skills, the pace of MCP CVE disclosures (30+ in 60 days), and the hybrid nature of skill artifacts demand automated, continuously updated defences. Multiple organisations have published frameworks and tools that extend beyond one-time audits into continuous security posture management.

OWASP Agentic Skills Top 10

The first comprehensive security framework dedicated to agent skills. Key categories include skill signing (AST01/AST02), least privilege enforcement (AST03), safe parsing with approved YAML/JSON loaders (AST05), dependency pinning to immutable hashes (AST07), and governance frameworks covering inventory, approval workflows, audit logging, and agentic identity controls (AST09). owasp.org/www-project-agentic-skills-top-10

OWASP Top 10 for Agentic Applications

A broader framework covering autonomous AI systems, developed with 100+ industry experts. Addresses goal misalignment, tool misuse, delegated trust, inter-agent communication, persistent memory, and emergent autonomous behaviour. genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026

OWASP Top 10 for LLMs

The foundation framework. The latest edition added System Prompt Leakage as a new entry. Agentic risks extend these foundational LLM risks into tool-use and skill-execution contexts. genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025

OWASP MCP Top 10

A dedicated framework for MCP protocol security covering tool poisoning, server impersonation, and protocol-level attacks. Essential reading for any team using MCP-based agent tooling. owasp.org/www-project-mcp-top-10

Snyk Agent Scan

An open-source security scanner that combines multiple LLM-based judges with deterministic rules. It scans for 15+ risk categories including prompt injection, tool poisoning and shadowing, toxic flows, malware payloads, credential handling, and hardcoded secrets. Available as a free CLI for CI/CD integration and as a self-service web interface. github.com/snyk/agent-scan

Lasso Security Claude Hooks

An open-source PostToolUse hook that scans tool outputs for injection patterns before Claude processes them. This runtime detection layer catches indirect prompt injection payloads that arrive through tool outputs during normal operation. github.com/lasso-security/claude-hooks

SafeDep Agent Skills Threat Model

A taxonomy of 14 vulnerability patterns across four dimensions: prompt injection, data exfiltration, privilege escalation, and supply chain risks. Covers advanced scenarios including repository hijacking, hallucinated packages, and deferred dependency attacks. safedep.io/agent-skills-threat-model

Building a Team Security Process

Individual audits are a starting point. A sustainable security posture requires a team-level process that makes verification the default. The following workflow converts the 15-point checklist into an organisational practice.

Step 1: Establish Source Verification Standards

Define which skill sources your team considers acceptable. At minimum, maintain a list of approved publishers and registries. Require that every new skill source passes a vetting process before any team member installs from it.

The ClawHavoc campaign succeeded because the registry allowed uploads from any GitHub account older than one week. A team-level minimum account age threshold (90 days is a reasonable starting point) and a requirement for multi-repository contribution history filter out the most common attacker profiles.

Step 2: Implement Mandatory Code Review for Skills

Treat every skill installation as a pull request. The skill files (SKILL.md, configuration files, executable code) go through the same review process as any other code entering your repository. Assign reviewers who have completed the Phase 2 content review checklist (items 6 through 10). For guidance on what SKILL.md files contain and how agents parse them, see the SKILL.md Files hub article.

Step 3: Require Sandbox Testing Before Approval

Every skill runs in a sandbox environment before receiving approval for production use. The sandbox mirrors the production development environment but uses disposable credentials and an isolated filesystem. Monitor all network egress during the test period. The Mitiga exfiltration completed in four interactions; a sandbox test of equivalent duration reveals exfiltration behaviour before it reaches production code.

Step 4: Maintain an Approved Skill Registry

Create an internal registry of skills that have passed your review process. This registry becomes the single source of approved skills for the team. Block installation from external registries on shared development environments and CI/CD systems. Periodically re-audit approved skills (quarterly at minimum) because deferred dependency attacks target skills that have already established trust. For a curated set of reviewed skills, browse the Skills Hub.

Step 5: Integrate Scanning into CI/CD

Add Snyk Agent Scan (or an equivalent tool) to your CI/CD pipeline. Any skill file that enters the repository triggers an automated scan. CRITICAL-level findings block the merge. This automation catches skills that pass manual review but contain obfuscated payloads or trigger conditions that activate only after installation.

Step 6: Assign a Skills Security Owner

Designate a team member as the skills security owner. This person tracks new vulnerabilities (the 30+ MCP CVEs in the first 60 days of 2026 demonstrate the pace of disclosure), updates the approved skills registry, and escalates incidents. The Unit 42 Incident Response Report found that attackers scan for new CVEs within 15 minutes of announcement; your team's response time determines your exposure window (Palo Alto Networks Unit 42).

The Developer Pain Points These Controls Address

Every control in this guide maps to a friction point that developers experience in practice.

Trust is binary and uninformed. 82% of executives report confidence in their AI policies, yet only 21% have complete visibility into agent permissions, tool usage, or data access patterns. The approved skill registry and least privilege enforcement (items 3, 4, 11) replace binary trust with graduated verification (Bessemer Venture Partners).

Verification requires security expertise developers lack. Agent skills are hybrid artifacts: code plus natural language plus configuration. Traditional code review is necessary but insufficient. The 15-point checklist provides a structured process that any developer can follow, regardless of security specialisation. Automated scanning (item 5) further reduces the expertise barrier (Medium, "I Built a Security Auditor for AI Skills").

Reputation signals are gameable. Download counts, stars, and registry rankings are the primary trust signals developers rely on. The Mitiga research and ClawHavoc campaign proved these signals can be faked. Source verification (items 1 and 2) and the approved skill registry replace gameable reputation with verified provenance.

Audit logs and runtime visibility are absent. Over half of deployed agents operate without security oversight or logging. The Mitiga exfiltration left the audit log entirely empty. Audit logging verification (item 13) and sandbox testing (Step 3) close this visibility gap (Beam AI).

Multiple configuration surfaces compound the attack perimeter. A single repository can contain .cursorrules, CLAUDE.md, .claude/settings.json, mcp.json, .vscode/tasks.json, and SKILL.md files. Each surface influences agent behaviour. The configuration file review (items 6 through 10) and MCP trust boundary revalidation (item 14) address each surface systematically. For a full comparison of when to use each configuration file, see SKILL.md vs AGENTS.md vs CLAUDE.md: When to Use Each.

What to Do Next

Run a skills audit. Apply the 15-point checklist to every skill currently installed in your development environment. Start with the skills that have the broadest permissions. Use Snyk Agent Scan for immediate automated results.

Browse verified skills. Use skills that have been independently reviewed and scored. Browse the best SKILL.md files every developer should install for curated recommendations, or explore starter templates by project type for copy-paste configs.

See the full picture. The Agent Skills Landscape infographic maps the entire ecosystem: config file comparison across 7 tools, security data, impact metrics, and a decision guide.