A real-world implementation of static + LLM-based scanning for Claude Code / Cursor skill layers
npm's supply chain defenses have matured fast. By 2026, pnpm ships with automatic 1-day release age cooldown (default ON), and npm v12 will block install scripts by default. The battle for package-layer security is being won.
But the attack surface moved. And the new frontier is invisible to traditional security.
When you run npx some-skills add frontend-design, you're importing a skill — a SKILL.md file that Claude Code will immediately parse and follow as instructions. This layer:
Bypasses package managers entirely (no cooldown, no signature check)
Evades EDR (it's just Markdown text)
Reaches the highest-trust environment: developer's local machine with all credentials loaded
And it's already compromised. ClawHub (an AI skill marketplace) was found to contain 341 malicious skills out of 2,857 (11.9%) in Feb 2026.
This article documents why existing defenses fail, what I built to solve it (skill-firewall), and the surprising UX lessons learned along the way — from symlink traps to why "warning the agent" beats "alerting the user."
Top comments (0)