Tag: skills

Kill Skill

Three recent incidents that should make all of us pause (links in the first comment):

→ A hallucinated npx command spread through a single LLM-generated skill file to 237 repositories. Real agents executed it. A researcher claimed the package name before an attacker could.

→ 230+ malicious skills uploaded to OpenClaw’s ClawHub in days. The #1-ranked skill was silently exfiltrating data and injecting prompts to bypass safety guidelines. Thousands of downloads before anyone noticed.

→ An audit of 2,890+ OpenClaw skills found 41.7% contain serious security vulnerabilities. 

This isn’t a niche problem. If you use Claude Code, Cursor, Copilot, or any modern coding agent, you’re likely installing multiple skills a week. They are recommended by colleagues, appear in blog posts, and are bundled into project templates. The install command is one line. The trust is implicit.

Skills blur the line between configuration and code, but we treat them like documentation. A SKILL.md file can contain natural-language instructions, executable scripts, and package dependencies. There’s no clear boundary where “docs” ends and “code” begins. No lockfile. No integrity checks. No verified publisher identity. The skills CLI has a package-lock.json for its own dependencies – just not for the skills you install.

So what should we do today? At a minimum, read the skill files before installing. It takes 2 minutes and is the equivalent of reviewing a PR. Beyond that, copy and commit your skills folder to git – your repo becomes your lockfile. Treat any skill update like a dependency upgrade: review the diff before merging, also for testing and quality purposes.

The tools are coming – Longer term, this ecosystem needs what npm took 6 years to build: lockfiles, signed packages, verified publishers, and scanners that flag malicious instructions before they reach your agent. Cisco developed an open-source skill file scanner.

Links –

Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise – https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/

Update #40: Agent Skill Security Issues – https://maxcorbridge.substack.com/p/update-40-agent-skill-security-issues

Agent Skills Are Spreading Hallucinated npx Commands – https://www.aikido.dev/blog/agent-skills-spreading-hallucinated-npx-commands

Over 41% of Popular OpenClaw Skills Found to Contain Security Vulnerabilities – https://www.esecurityplanet.com/threats/over-41-of-popular-openclaw-skills-found-to-contain-se

Skill Scanner – https://github.com/cisco-ai-defense/skill-scanner

5 interesting things (12/02/2026)

The Quarterback Paradox – while I’m not sure I agree that it is a paradox – i.e., recruiting a critical position to an organization is hard even if you have a lot of data, I love and strongly agree with the suffix of the post – “As in the NFL, in organizations the hardest part is often not finding talent, but creating the conditions in which real potential does not break before it has a chance to become reality.”

https://noamwakrat.medium.com/the-quarterback-paradox-e93e4325bac1

What LEGO Can Teach Us about Autonomy and Engagement – Who doesn’t like LEGO? We all played with it as children, and some of us still build today. In this post, Pawel Brodzinski describes a neat experiment he runs in training sessions – teams first build a LEGO set under a manager’s direction, then self-organize for a second build, and consistently report higher engagement when given more autonomy. While it shows a clear effect, the experiment has some drawbacks – most notably an order effect: the self-organized build always comes second, so the engagement boost could partly stem from participants being warmed up and more comfortable rather than from autonomy alone. Always nice to read about LEGO as an adult.

https://brodzinski.com/2026/01/lego-autonomy-engagement.html

Skyll – Skills are markdown instruction files that teach AI coding agents how to perform specific tasks. Today, skills must be manually installed before a session, meaning developers need to know upfront which skills they’ll need. Skyll is an open-source search engine and API that lets any AI agent discover and retrieve skills on demand at runtime, ranked by relevance, without pre-installation. You can think of it as a package manager for agent capabilities, enabling agents to be truly self-extending and autonomous.

https://github.com/assafelovic/skyll

Skyhook.io radar – Existing K8s dashboards tend to be either heavyweight, cloud-dependent, or require cluster-side components. Radar’s zero-install, single-binary approach with real-time topology and traffic visualization answers the need of developers and platform teams who want quick, frictionless cluster observability that can even run on their laptop, especially useful for DevEx-focused teams looking to reduce the friction of Kubernetes debugging and operations,

https://github.com/skyhook-io/radar

Babysitter – If you worked with coding agents, you probably experienced this pain: the lack of a structured process control and non-deterministic workflows. Babysitter lets you define iterative workflows (research → spec → TDD loop → quality gate → deploy) that are deterministic, resumable across sessions, and auditable, which is critical for moving AI-assisted development from ad-hoc experimentation toward reliable, production-grade engineering workflows and complex features.

https://github.com/a5c-ai/babysitter