"Robot Fight" by REL Waldman is licensed under CC BY-SA 2.0.

‍

‍

The Current State of the Marketplace

‍

It seems in tech, we have to learn lessons the hard way, then forget them to learn them again.

‍

PyPi, NPM, and RubyGems all have a history of security issues, including malicious packages, malicious authors, and breaches. We’re repeating the story with AI skills and agents.

‍

Claude Code has been the story for the last month with its ability to build software (and more) much faster and more accurately than many AI tools have in the past. There is a whole ecosystem of community plugins to enhance its ability, called Skills. 

‍

There are many marketplaces to get skills from, and the ecosystem is expanding quickly.

‍

Here is how Claude itself describes skills:

‍

Claude Code Skills are markdown files (typically stored in .claude/ directories) that give Claude Code reusable instructions for specific tasks, like coding conventions, deployment steps, or project-specific workflows, so it can follow your team's patterns consistently. When you or Claude Code reference a skill, it reads those markdown instructions to guide its behavior, essentially acting as a persistent, project-aware context that makes Claude Code more effective over time.

‍

Skills are really just markdown files that are included in Claude prompts to enhance the work Claude does. It can include scripts or commands to run.

‍

Again from Claude:

‍

Skills can include any instructions that Claude Code can execute, including shell commands via the Bash tool. A skill might instruct Claude to run test suites, build commands, linters, scripts, or any other CLI operation as part of its workflow.

‍

For example, the TDD skill directs Claude to run tests at specific points in the cycle. The verification skill requires running commands and checking output before claiming work is done.

‍

There's no special syntax for it, you just write the instructions in the skill body, and Claude follows them using its normal tools. The user still gets prompted to approve commands based on their permission Settings.

‍

This is especially important when thinking about malicious use cases. Much like application dependencies, most users don’t review skills before they are downloaded.

‍

Within Claude Code, it’s as easy as:

‍

/plugin install superpowers@superpowers-marketplace

‍

You’ve now added instructions from a third party into your Claude session when using these skills. It can include scripts and subtle commands. Some require approval to use, others don’t.

‍

‍

The Problem

‍

There’s already been a lot of reporting about issues in the marketplaces and even more in the OpenClaw ecosystem.

‍

From Snyk:

‍

“Snyk security researchers have completed the first comprehensive security audit of the AI Agent Skills ecosystem, scanning 3,984 skills from ClawHub and skills.sh as of February 5th, 2026 - the largest publicly available corpus of agent skills currently known. The findings are stark: 13.4% of all skills, or 534 in total, all contain at least one critical-level security issue, including malware distribution, prompt injection attacks, and exposed secrets. Expand to any severity level, and over a third of the ecosystem is affected: 36.82% (1,467 skills) have at least one security flaw, from hardcoded API keys and insecure credential handling to dangerous third-party content exposure”.

‍

Claude Skills are incredibly useful, but companies must have a strategy for how to utilize them securely. We’ve spent years as an industry trying to improve the dependency ecosystem with toolings, SBOMs, and awareness; we’re starting this journey with the AI ecosystem now as well.

‍

‍

A Solution

‍

Cloud Security Partners has developed a Claude Skill to help review Claude Skills (ironic we know).

‍

We’ve open-sourced it at: https://github.com/CloudSecurityPartners/skills

‍

This skill will safely check out the skill's source code and review it for potentially malicious commands. It also reviews the repository using the data from the OSS Scorecard.

‍

OSS Scorecard:

‍

Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

‍

Reviewing the Skill, looking for malicious patterns, and using the Scorecard’s heuristics to look at the trust of the repository give companies a better view of each Skill's risk. We’d love feedback and contributions to improve it.

‍

The AI ecosystem is moving incredibly quickly, and security is still laying the foundation of how to utilize these tools. We have to apply the lessons we’ve learned the hard way and quickly build the tools and strategies to enable organizations to build securely. 

We've been here before. Every time a new package ecosystem takes off, security is an afterthought until it isn't. The difference now is that AI skills don't just pull in code; they pull in instructions that shape how your AI agent behaves, what it runs, and what it has access to. The blast radius is different, and arguably worse.

The good news is we don't have to start from zero. The patterns for vetting dependencies, auditing supply chains, and building trust signals already exist. We just need to apply them before the next headline, not after. Our skill is a small step in that direction, and we hope it pushes others to build on it.

If you're using Claude Code skills in any serious capacity, treat them like you would any third-party dependency: review them, understand what they do, and have a process. The tooling will catch up; it always does, but in the meantime, don't be the case study.

‍