Anthropic Skill scanners passed every check. The malicious code rode in on a test file.

Anthropic Skill scanners, like Snyk and Cisco's tool, primarily analyze the agent's interaction surface, primarily looking at SKILL.md. These scanners do not inspect bundled test files, a critical oversight. Gecko Security found that malicious test files (e.g., *.test.ts) within installed skills execute with full local permissions through test runners like Jest and Vitest. These files can silently exfiltrate sensitive data during setup. The attack vector involves developers installing Skills that contain malicious test files, which are unknowingly run. The directory where skills are installed often bypasses scanner checks. The root issue is the scanner's limited scope, that focuses on the agent interaction. The solution involves adding .agents/ to test runner ignore lists, flagging non-instruction files in audit systems. Additional hardening includes requiring structured audit entries and pinning skill sources to immutable commits. These changes help prevent exploitation by shifting the security boundary.