📖 Read the full version with charts and embedded sources on AgentConn →
The agent skills gold rush has a security problem. GitHub Trending is wall-to-wall SKILL.md files. ClawHub crossed 50,000 published skills. Every major harness — Claude Code, Cursor, Gemini CLI, Codex — now has a skill ecosystem that teams are git clone-ing into production daily.
And the attackers noticed. Snyk's ToxicSkills research found that 13.4% of 3,984 surveyed skills contain critical security issues. 1,467 malicious payloads. 76 confirmed malware samples. The ClawHavoc campaign traced 335+ malicious skills to a single threat actor — "hightower6eu" — distributing an AMOS stealer variant through seemingly helpful skills, earning CVE-2026-25253 in the process.
This isn't hypothetical risk. It's the OWASP Agentic Skills Top 10 in production. And until last month, there was no purpose-built tooling to catch it.
That changed the same week. NVIDIA open-sourced SkillSpector, a static security scanner that analyzes agent skills before installation. Deno released Claw Patrol, a runtime firewall that sits between agents and the systems they interact with. Together, they form the first two-layer defense for the agent skills supply chain: scan before you install, firewall when you run.
The Threat Landscape by the Numbers
- 13.4% failure rate: Snyk's ToxicSkills study found critical issues in roughly 1 in 7 skills surveyed across major marketplaces.
- 335+ coordinated malicious skills: The ClawHavoc campaign was a sophisticated single-actor operation distributing credential-stealing malware.
- 76 confirmed malware samples: Actual malware that exfiltrates credentials, installs persistence mechanisms, and phones home to C2 infrastructure.
-
Zero install-time gates: Before SkillSpector, there was no equivalent of
npm auditfor agent skills.
SkillSpector: Scan Before You Install
NVIDIA/SkillSpector is the first open-source security scanner purpose-built for agent skills. It covers 64 vulnerability patterns across 16 categories: prompt injection, data exfiltration, privilege escalation, supply chain attacks, excessive agency, tool poisoning, trigger abuse, and dangerous code patterns.
SkillSpector accepts Git repositories, URLs, zip files, directories, and single files. Output is a 0-100 risk score with severity labels and actionable recommendations.
# Scan a skill from GitHub
skillspector scan https://github.com/example/my-agent-skill
# Run with LLM semantic analysis for deeper inspection
skillspector scan --llm-analysis ./skills/suspicious-tool
Claw Patrol: Firewall at Runtime
Claw Patrol is an open-source security firewall that sits between AI agents and production systems. It parses SQL, Kubernetes API, and HTTP traffic at the wire level and enforces declarative HCL rules.
Three deployment modes: clawpatrol run (wraps one agent), clawpatrol join (WireGuard tunnel for the host), and clawpatrol gateway (standalone proxy for production).
Claw Patrol also supports credential injection — agents never see raw secrets.
Why You Need Both
SkillSpector catches what's visible before installation (known-bad patterns, vulnerable dependencies, excessive permissions). Claw Patrol catches what happens at runtime (behavior that diverges from declarations, credential misuse, scope creep).
The full defense stack: install-time scanning → runtime firewalling → container isolation.
What to Do Monday Morning
This week: Run SkillSpector against every third-party skill. Audit your MCP servers. Review the OWASP Agentic Skills Top 10.
This month: Add SkillSpector to CI/CD. Deploy Claw Patrol around sensitive workloads. Establish a skill allowlist.
This quarter: Move to Claw Patrol gateway mode. Evaluate NVIDIA's Verified Agent Skills catalog. Build internal skill review processes.
The skills gold rush isn't slowing down. But the trust model is finally catching up.
Originally published at AgentConn
Top comments (0)