DEV Community

Skillselion
Skillselion

Posted on

Claude Code's changelog now reads like a security bulletin. The skills developers install don't.

Open the Claude Code changelog from this week and read it the way you would read a CVE feed. Version 2.1.212 fixed plan mode auto-running file-modifying Bash commands like rm without a permission prompt. It fixed worktree creation following a repository-committed symlink that could create files outside the repository. One release earlier, 2.1.211 fixed permission previews relayed to chat channels, so that bidirectional-override characters, zero-width characters, and look-alike quotes inside tool inputs can no longer visually alter the approval message you see there.

That last one deserves a second read. Until this fix, a malicious tool input could dress itself up to look safe in the very approval preview a reviewer was reading in chat.

None of this is a knock on Anthropic. Shipping fixes this specific, in public, weekly, is what a serious vendor does. The point is what it tells us: the attack surface of AI-assisted development has moved from the code you write to the agent that writes it. Prompt injection, permission-preview spoofing, sandbox escapes, malicious skills. This is where the incidents are now.

So here is the uncomfortable part. We run Skillselion, a directory of Claude Code, Codex and Cursor extensions ranked by real installs (live catalog, refreshed daily from skills.sh, GitHub and MCP registries). When you look at what developers actually install under "security", the picture is a decade out of date.

Agent security vs code security: what the install numbers say

The heavyweights are all code-security skills, tools that audit the software you ship:

Now the skills that secure the agent itself, the layer the changelog keeps patching:

A Firebase rules auditor has 323 times the installs of a prompt injection scanner. Trail of Bits, one of the most respected security shops in the industry, publishes a sandboxing skill for the class of problem the changelog keeps fixing, and it sits at 3,085 installs while a Go code-security skill clears 34,000.

Takeaway 1: the attack surface moved to the agent, but install behavior hasn't caught up. Developers are still buying locks for the front door while the new entrance is the agent that holds the keys to the whole house: your shell, your filesystem, your credentials, your CI.

Skills are dependencies. Almost nobody audits them.

There are more than 61,000 skills in the catalog right now. A skill is a markdown file plus bundled scripts that you hand to an agent with Bash access. Functionally, that is an npm package with fewer guardrails: no lockfile by default, no signature, and an execution context that includes your entire dev environment.

We have been here before. npm hit this moment a decade ago, and the ecosystem answered with npm audit, lockfiles, provenance, and supply-chain scanners. The agent-skill ecosystem is at the pre-audit stage of that curve, except this time the package runs with your shell, your credentials, and your repos already in scope.

The interesting signal in the data is skill-vetter at 20,395 installs. It is the one agent-security skill with real traction, and what it does is exactly the dependency-audit reflex, ported to skills: inspect what a skill actually does before it runs. That reflex spreading is what maturity will look like.

Takeaway 2: vetting a skill before installing it is the new dependency audit. In two years, installing an unvetted skill with Bash access will look the way curl | sudo bash looks today.

How to audit your agent layer

Three habits. None of them need a framework:

  1. Read the changelog of your agent the way you read security advisories for your runtime. It is one of the highest-signal security feeds in AI-assisted development right now, and it is free.
  2. Audit the agent layer, not just the code layer. Your permission allow-lists, your installed skills and MCP servers, and your sandbox settings are production config now.
  3. Before installing a skill, look at what it bundles and what it can touch. Install counts and the file tree are public on every Skillselion listing, and the skillselion-mcp server lets your agent check a skill's footprint before it installs anything.

The vendors are doing their part of the job. The install data says most of us have not started ours.

Skillselion

I work on Skillselion, the directory the install numbers above come from. All counts were read from the live catalog on July 17, 2026.

Top comments (0)