Skills DirectorySkills Directory

Every Skill is Scanned Before You See It

Skills Directory runs automated security analysis on every skill in the directory. We scan for prompt injection, credential theft, data exfiltration, malware, and more — so you don't have to.

The Threat Landscape is Real

Recent research shows that agent skills are a growing attack vector.

36%

of skills in the wild have security flaws

Snyk ToxicSkills Study
341

malicious skills found on ClawHub in a single campaign

Koi Security / ClawHavoc
82%

of MCP servers have path traversal exposure

Adversa AI / Astrix
91%

of malicious skills combine prompt injection with traditional malware

Snyk ToxicSkills Study

Real-World Attacks

These aren't theoretical risks — they're documented incidents.

Snyk ToxicSkills Study

February 2026

The largest audit of agent skills to date. Snyk scanned 3,984 skills and found 1,467 with malicious payloads — credential theft, backdoors, data exfiltration. 13.4% had critical issues that simple pattern matching missed.

Read the full report

ClawHavoc Campaign

January 2026

A coordinated supply chain attack on ClawHub. 341 malicious skills delivered Atomic macOS Stealer through fake prerequisite instructions. A single actor uploaded 354 packages. Bitdefender found ~20% of all ClawHub packages were malicious.

Read the full report

Cato CTRL MedusaLocker

December 2025

Researchers weaponized a Claude Skill to deploy live ransomware. A hidden helper script ran silently alongside an approved main script — the "consent gap" between what users approve and what actually executes.

Read the full report

How We Scan Skills

Every skill goes through static analysis with 50+ detection rules across 10 threat categories.

Execution

eval(), child_process, shell pipes, dynamic code execution

Network

Hardcoded IPs, HTTP requests, WebSocket, DNS lookups

File System

Path traversal, sensitive directories, destructive operations

Obfuscation

Base64 encoding, character codes, hex-encoded strings

Credentials

SSH keys, API key patterns, keychain access, env harvesting

Persistence

Cron jobs, startup scripts, systemctl, launchctl

Prompt Injection

Instruction override, developer mode, system impersonation, unicode smuggling

Data Exfiltration

Credential exfil via curl, environment variables sent to URLs

Hidden Helpers

External code downloads, password-protected archives, file encryption

Supply Chain

Remote exec pipes, runtime npm install, postinstall hooks

Rules are weighted by confidence level. Findings inside markdown code fences receive reduced penalties to minimize false positives.

Scoring & Grading

Each skill starts with a score of 100. Points are deducted based on finding severity.

Severity Penalties

SeverityPenalty
Critical-25 points
High-15 points
Medium-8 points
Low-3 points
Info0 points

Low-confidence findings receive a 50% penalty reduction.

Grade Scale

GradeScoreMeaning
A90 - 100No significant issues found
B75 - 89Minor concerns, generally safe
C60 - 74Some issues, review recommended
D40 - 59Significant concerns
F0 - 39Critical security issues detected

Skills Directory by the Numbers

Live data from our security scanning pipeline.

36,109

Skills scanned

34,092

Grade A skills

94%

Pass rate (A)

50+

Detection rules

Grade Distribution

A
34,092 (94%)
B
1,201 (3%)
C
576 (2%)
D
156 (0%)
F
84 (0%)

By default, we only show grade-A skills.

Browse Safe SkillsAPI Docs