Back to Blog
AISecurityClaudeStrategy

Don't Install Random AI Skills. Here's What Can Actually Happen.

Here's a thing most people using AI agents haven't noticed yet: when you install a "skill" for Claude Code, Cursor, OpenClaw, or any other agent, that skill runs with the full permissions of your AI.

That means: shell access on your machine. Read and write on your file system. Access to credentials in environment variables. The ability to send messages through your accounts. Sometimes persistent memory across sessions.

All you have to do is click install.

The numbers nobody wants to read

Snyk did the first comprehensive audit of the AI skills ecosystem in February. They scanned almost 4,000 skills from the biggest marketplaces.

13.4% had critical security issues. Roughly one in seven. 36.8% had at least one security flaw. Over a third. They confirmed 76 actively malicious skills designed to steal credentials, install backdoors, exfiltrate data. Eight of them were still live on the marketplace when the report was published.

The barrier to publishing a new skill on these platforms? A markdown file and a one-week-old GitHub account. No code signing. No security review. No sandbox.

Sound familiar? It's the early days of npm and PyPI all over again. Except this time the packages have your AI's permissions, which means they have your permissions.

A real example from the wild

A few months ago, Datadog's security team found a skill called Clawsights. It presented itself as a leaderboard for Claude Code users — install our skill, see where you rank, share your stats. Nice idea.

What it actually did: grabbed your GitHub authentication token using `gh auth token` and uploaded it to the attacker's server, disguised as "uploading a usage report." If you had organization access, private repos, or production credentials linked to that token, the attacker had them too.

The model — Claude — actually caught it in some tests. Read the skill, recognized the credential theft, refused to run it. That's the defense you want.

But here's the cleverer attack: skills support something called dynamic context. Lines in a skill prefixed with `!` run before the model ever sees the rendered prompt. So if the attacker puts the credential-stealing command in a dynamic context line, the model has no chance to refuse. The command runs during preprocessing. By the time the model speaks up, the data is already gone.

What to actually do

Three things, if you use AI agent skills:

  1. Vet every skill before you install it. Open the SKILL.md file. Read it. Look for `curl`, `wget`, `gh auth`, `~/.ssh`, environment variable reads, base64-decoded commands, password-protected zips. If you don't understand what a line does, don't install the skill.

2. Check the author. A one-week-old GitHub account with one skill is not the same as an organization with a year of clean history.

3. Treat repos with `.claude/` directories like third-party packages. When you clone someone else's project and open it in Claude Code, you're installing every skill that lives in that repo. The "Trust this workspace?" prompt is there for a reason. Mean it.

The bigger picture

We are watching the supply chain attack pattern transplant itself onto AI tools, in real time. The same playbook that hit npm, PyPI, and typosquatting attacks will hit AI skill marketplaces too — except now the payload runs with your AI's privileges instead of a sandboxed Node process.

The convenience of "describe what you want and let AI install the right skill" is going to be one of the biggest security gaps of the next two years.

Be deliberate. Read what you install. And don't outsource your judgment to a marketplace that doesn't vet anything.