An AI agent you deploy to automate customer support queries suddenly starts leaking API keys to an external server. Your incident response team traces it back to a "helpful" skill you installed three weeks ago—one that 200 other organizations also downloaded. This isn't hypothetical. Snyk's security audit of the Agent Skills ecosystem just documented exactly this scenario playing out across ClawHub, the largest repository for AI agent capabilities.
What Happened
Snyk conducted a security audit of the Agent Skills ecosystem, focusing on ClawHub's repository of pre-built capabilities that developers integrate into AI agents. The research team analyzed thousands of skills—modular code packages that extend AI agent functionality, similar to npm packages for Node.js or PyPI packages for Python.
The findings: 13.4% of all skills (534 total) contain at least one critical-level security issue. Across the ecosystem, 36.82% of skills (1,467 in total) have at least one security flaw. Snyk confirmed 76 malicious payloads designed for credential theft, data exfiltration, or system compromise. At the time of the audit, 8 of these malicious skills remained publicly available and downloadable on ClawHub.
Timeline
The Agent Skills ecosystem lacks the maturity and security infrastructure of established package repositories. Unlike npm or PyPI, which developed security scanning, malware detection, and code signing over years, ClawHub and similar AI skill repositories launched with minimal security controls.
Snyk's audit represents a snapshot of the ecosystem at a specific point, not a tracked incident timeline. The research revealed vulnerabilities that had been present and exploitable since the skills were published—some for months. The 8 malicious payloads still available during the audit had been accessible to anyone who searched for relevant functionality.
This mirrors the early days of npm and PyPI, when malicious packages routinely remained available for weeks or months before detection. The difference: AI agents often run with elevated permissions and access to sensitive systems, making the blast radius of a compromised skill significantly larger.
Which Controls Failed or Were Missing
The audit exposed three fundamental control failures:
No mandatory security scanning. ClawHub does not require skills to pass security analysis before publication. Developers can publish skills with hardcoded credentials, SQL injection vulnerabilities, or command injection flaws without triggering any automated review. The 534 skills with critical issues would have been flagged by basic static analysis.
No code signing or provenance verification. Skills lack cryptographic signatures linking them to verified publishers. You cannot verify that a skill claiming to be from "DataCorp" actually came from DataCorp's development team. This enabled the 76 confirmed malicious payloads to masquerade as legitimate utilities.
No input validation framework. The ecosystem provides no standardized approach for sanitizing inputs to AI agents. Prompt injection attacks—where malicious instructions are embedded in user input or external data sources—succeeded because skills process untrusted data without validation. Traditional input validation libraries don't address prompt injection, and the Agent Skills ecosystem has not developed equivalent protections.
What the Relevant Standards Require
OWASP ASVS v4.0.3 addresses supply chain security in Requirement 14.2.1: "All components should be up to date with proper security configuration and not contain known vulnerabilities." The Agent Skills ecosystem fails this baseline—you cannot verify if a skill contains known vulnerabilities without running your own analysis.
NIST 800-53 Rev 5 Control SA-12 (Supply Chain Protection) requires organizations to "employ integrity verification tools to detect unauthorized changes to software and firmware." For AI skills, this means:
- Verifying skill signatures before installation
- Scanning for malicious code patterns
- Monitoring skill behavior post-deployment
None of these controls exist in the current ClawHub implementation.
ISO/IEC 27001:2022 Annex A.8.30 (Outsourced Development) requires security controls for externally developed software. When you install a ClawHub skill, you're outsourcing development to an unknown third party. ISO 27001 mandates code review, security testing, and contractual security requirements—all absent from the Agent Skills ecosystem.
SOC 2 Type II Common Criteria CC6.1 (Logical and Physical Access Controls) requires restricting access to sensitive resources. AI agents with installed skills often bypass this control entirely, granting the skill implicit access to whatever the agent can reach: databases, APIs, file systems, and external services.
Lessons and Action Items for Your Team
Treat AI skills as untrusted code. Do not install skills directly into production AI agents. Set up an isolated testing environment where you can:
- Run the skill with simulated data
- Monitor all network calls it makes
- Review the actual code (if available) for hardcoded credentials or suspicious patterns
- Test with malicious inputs to verify it handles prompt injection attempts
Build a skill approval process. Create an internal registry of vetted skills. Before a skill enters your registry:
- Run it through static analysis tools (SAST)
- Check dependencies for known vulnerabilities
- Verify the publisher's identity and reputation
- Document what permissions and data access the skill requires
Implement runtime monitoring. AI agents should run with monitoring that flags:
- Unexpected network connections
- Access to resources outside the agent's documented scope
- Attempts to execute system commands
- Exfiltration patterns (large data transfers to external IPs)
Restrict agent permissions. Apply least privilege to AI agents. If an agent handles customer support, it should not have write access to your user database. Use separate service accounts with minimal permissions for each agent. When a malicious skill tries to escalate privileges, it should hit permission boundaries immediately.
Develop prompt injection defenses. Unlike SQL injection, prompt injection lacks mature defensive tools. Start with:
- Input sanitization that strips or escapes special tokens
- Output validation that checks for unexpected system commands in agent responses
- Sandboxing that isolates agents from sensitive operations
- Monitoring for anomalous behavior patterns
The Agent Skills ecosystem will mature, but you're deploying agents today. The 1,467 vulnerable skills Snyk found represent the current state of supply chain risk in AI systems. Your security controls need to account for an ecosystem that hasn't yet learned the lessons npm and PyPI learned through years of incidents.
