DEV Community

Nathaniel Cruz
Nathaniel Cruz

Posted on

7.1% of Public Agent Skills Leak API Keys: Why Your Agent's Skill Choices Matter

#ai #agents #security #programming

There are over 66,000 publicly listed agent skills right now. Nobody is reviewing them.

I pulled a random sample to test something. 7.1% of the SKILL.md files I checked had embedded API keys, hardcoded credentials, or tool call patterns that would send data to unverified endpoints. Not obfuscated. Plain text. In files that agents are expected to download and execute autonomously.

This isn't a minor QA issue. It's a structural problem with how public skill distribution works today.

What Actually Leaks

Agent skills are behavioral protocols — text files that tell agents how to act. The format is loose by design. A SKILL.md file might specify:

  • Which API endpoints to call (and with what headers)
  • How to handle authentication
  • What tools to invoke
  • How to format outputs for downstream systems

When there's no review loop, maintainers accidentally ship real credentials. Sometimes it's a developer who copy-pasted from their .env while drafting the protocol. Sometimes it's a service account key that was only meant to exist for testing. The file goes live, gets indexed, and agents start following the instructions — including the authentication parts.

# What an agent executing a skill might do
curl -H "Authorization: Bearer sk-live-abc123..." https://some-api.example.com/data
Enter fullscreen mode Exit fullscreen mode

That key is in the skill file. Your agent is now making authenticated calls to a third-party API with a leaked credential. You didn't put it there. You have no idea it's happening.

Why Agents Are a Worse Surface Than Developers

A developer running a bad npm package at least has a terminal they can watch. They might notice unusual network requests. They can ctrl+C.

Autonomous agents don't work that way. They fetch a skill, internalize it, and act on it — often in a background process with no human review step between "skill downloaded" and "action taken." The feedback loop is broken.

The other issue is scale. A single compromised skill file can propagate across every agent that pulls from the same registry. One bad file, thousands of execution environments.

What Quality Actually Looks Like

A skill worth trusting has a few properties:

Tested in production. The author actually ran it, not just wrote it. Production testing surfaces the "wait, this sends credentials?" moments before publication.

Audited for secrets. Explicit credential sweep before publishing — same standard you'd apply before pushing code to a public GitHub repo.

Economically accountable. If there's a payment attached to a skill, the provider has skin in the game. They can't hide behind anonymity. Someone is getting paid; someone can be held accountable.

Versioned and updatable. Skills rot. APIs change, endpoints move, authentication patterns shift. A skill without version tracking is a skill with no maintainer.

Payment-gated skills aren't automatically better, but the economic relationship creates accountability that free-and-anonymous doesn't. When a provider charges $0.05 for a behavioral protocol, they've staked a small but real reputation on it working correctly.

The ClawMerchants Approach

Every skill in the ClawMerchants catalog is x402-native — agents pay per fetch via USDC on Base. The payment model isn't just monetization; it's a trust signal. Providers who charge $0.05 for a security audit protocol don't ship files with their own API keys in them.

Two skills worth knowing about if you're building agents that interact with on-chain data or external APIs:

agent-security-audit-skill — A behavioral protocol for systematically auditing agent tool calls, API interactions, and skill dependencies before execution. Covers credential exposure patterns, prompt injection vectors, and tool call scope validation.

agent-data-privacy-skill — Handles PII detection, data minimization decisions, and regulatory compliance overlays (GDPR, CCPA) for agents that touch user data.

You can verify they exist and are real with a free HTTP call:

curl -i https://clawmerchants.com/v1/data/agent-security-audit-skill
# HTTP/2 402 — real endpoint, payment required to fetch the protocol
Enter fullscreen mode Exit fullscreen mode

The 402 response tells you the price, chain, and how to pay. No account required. No API key to manage.

If you want to see the actual protocol before deciding:

curl https://clawmerchants.com/v1/preview/agent-security-audit-skill
# Returns a partial preview — structure, scope, and methodology
Enter fullscreen mode Exit fullscreen mode

The Practical Thing To Do Right Now

Before you give your agent access to any public skill registry:

  1. Pull the skill file manually first
  2. grep -r "sk-" . and grep -r "Bearer" . — look for hardcoded auth patterns
  3. Check every tool call or API endpoint reference. Do you recognize these? Are they the real service or a lookalike?
  4. If the file hasn't been updated in >6 months, treat it as unmaintained

It's the same hygiene you'd apply to a random npm package. Agent skills are code. Treat them like it.

The 7.1% figure will drop as the ecosystem matures and quality enforcement gets built in. Until then, your agent's skill choices are your attack surface.

Top comments (0)