Snyk's ToxicSkills research reveals critical security vulnerabilities in the AI Agent Skills ecosystem. Scanning 3,984 skills from ClawHub and skills.sh, researchers found 13.4% contain critical security issues and 36.82% have at least one security flaw. The study confirmed 76 malicious payloads designed for credential theft, backdoor installation, and data exfiltration, with 8 remaining publicly available. Attack techniques include external malware distribution, obfuscated data exfiltration, and security disablement. The research introduces an 8-category threat taxonomy and the open-source mcp-scan tool for detecting malicious patterns in agent skills that power OpenClaw, Claude Code, and Cursor.
Table of contents
The threat landscape: Agent Skills under attackOur methodology: Building a threat taxonomyThe findings: 534 of Agent Skills with critical security issuesAttack techniques: How malicious skills operate100% of confirmed malicious skills contain malicious codeBeyond malware: The "Insecure by Design" problem of agentic systemsHow to defend against ToxicSkills and agent malwareToxicSkills summaryIOCs: Indicators of CompromiseDiscover Every AI Component Hidden in Your CodebaseSort: