Trail of Bits Blog
Follow
The sorry state of skill distribution
Public skill marketplaces are rife with malicious skills designed to steal credentials and data. Security companies have introduced skill scanners to detect these threats before installation, but our testing reveals they are ineffective. We successfully bypassed detection mechanisms in ClawHub, Cisco's agent skill scanner, and multiple scanners integrated into skills.sh. These bypasses were achieved using standard attack techniques and relatively little effort. The static nature of these scanners allows attackers to repeatedly test and refine their methods until they succeed.
The security of software supply chains has always been a concern, and the rise of agentic systems has introduced a new vector: skills. Malicious skills can leverage natural language prompts in addition to code, expanding attack possibilities. Skill distribution channels, such as ZIP archives, curated marketplaces, and public marketplaces, have often prioritized speed over security. Public marketplaces, in particular, have become flooded with malicious skills aiming to compromise users' systems.
Our analysis of ClawHub's scanner, which uses VirusTotal and a Gemini 3 Flash-based tool, showed it can be bypassed by simply adding excessive newlines to obscure malicious code. Cisco's skill-scanner and the scanners on skills.sh, which handle arbitrary git repositories, were also vulnerable. We exploited this by embedding malicious instructions within .docx files and using poisoned .pyc bytecode, which bypasses both pattern matching and LLM-based analysis. The prompt injection attack on skills.sh disguised malicious commands within seemingly innocuous corporate configuration language. These findings highlight significant vulnerabilities in current skill security measures.
