The rapid emergence of AI coding agents has ushered in a novel software supply chain, one that a recent comprehensive study suggests is expanding at a pace far exceeding the development of its surrounding security infrastructure. Findings from a large-scale security audit conducted by Mobb.ai on over 22,500 public "skills"—reusable instruction sets designed for AI coding assistants like Claude Code, Cursor, GitHub Copilot, and Windsurf—across four prominent registries (skills.sh, ClawHub, GitHub, and Tessl) reveal a critical vulnerability: while skills undergo scanning at the point of publication, they execute on developers’ machines with unchecked system permissions and minimal runtime verification.
This audit, which generated more than 140,000 security findings, highlights a systemic gap that no current registry has fully addressed. Eitan Worcel, CEO of Mobb, emphasized the escalating integration of AI coding agents into the software development workflow, stating, "AI coding agents are becoming the default way developers write software." He further elaborated on the inherent risks, noting, "When a developer installs a skill or plugin for their agent, they’re giving that skill the same access they have — their source code, their credentials, and their production systems." The motivation behind Mobb’s extensive research, Worcel explained, stemmed from a noticeable absence of systematic security reviews within this burgeoning ecosystem. "We noticed no one had systematically reviewed the ecosystem, so we did," he said.
A New Frontier of Supply Chain Risk
AI agent skills are typically distributed as markdown files, most commonly named SKILL.md. These files contain natural language instructions that guide the AI agent, often augmented with shell commands, Model Context Protocol (MCP) server configurations, Integrated Development Environment (IDE) settings, and references to companion scripts. Their distribution through public registries allows for installation via a single command, creating a streamlined, albeit potentially vulnerable, development pipeline.
Mobb’s analysis maps this new supply chain from the developer to the registry, then to the skill file, the agent, and ultimately to system access. A compromise at any point in this chain could grant an attacker the same privileges as the developer, including access to source code, API keys, SSH credentials, cloud provider tokens, and the ability to inject code into Continuous Integration/Continuous Deployment (CI/CD) pipelines.
While the majority of skills scanned (66%) presented no findings within Mobb’s targeted patterns, a significant portion of the remaining 34% flagged concerning issues. Specifically, 27% of all scanned skills exhibited command execution patterns. Alarmingly, one in every six skills contained a curl | sh pattern—a well-known vector for remote code execution where a script is downloaded from the internet and directly piped into a shell interpreter. Furthermore, nearly 15% of skills referenced mechanisms designed to bypass consent prompts, effectively disabling or circumventing built-in safety confirmations within agent tools.
Despite these findings, Worcel offered a note of optimism: "The good news is that outright malware is rare; the ecosystem is largely healthy." He attributed this in part to the diligent work of individuals like Paul McCarty and the OpenSourceMalware team. However, he reiterated the core concern: "But what concerns us is the attack surface. More than a quarter of skills contain instructions for agents to execute shell commands. One in six includes patterns that download and run remote scripts."
The Evolving Gap in Protection Mechanisms
Each of the four audited registries has implemented security measures, albeit with varying methodologies. Skills.sh, operated by Vercel, employs three independent scanners—Gen Agent Trust Hub, Socket, and Snyk—with their findings publicly accessible. ClawHub utilizes an AI-based classification system to label skills as CLEAN, SUSPICIOUS, or MALICIOUS; however, "suspicious" skills remain installable, with the classification serving as an informational flag rather than an enforced security measure. Tessl integrates Snyk and uniquely blocks installations with high or critical security findings at the client level.
GitHub, which hosts the source repositories for a substantial number of skills (7,379 of those collected by Mobb), offers standard repository security features like Dependabot and secret scanning. However, these tools do not extend their analysis to the critical components of AI agent skills, such as SKILL.md instructions, MCP configurations, or agent hook definitions.
"The registries are doing real work—multiple security scanners, AI-based classification, risk scoring," Worcel acknowledged. "But that protection lives on the registry’s servers. Once a skill reaches the developer’s machine, there are no guardrails. No signature verification, no runtime scanning, no way to know if what you installed is the same version that was audited."
Worcel drew a direct parallel to past security challenges in established package ecosystems, stating, "This is the same gap that hit the npm and PyPI ecosystems years ago, and the industry learned those lessons the hard way. We’re publishing this research so the AI agent ecosystem can learn them proactively."
The fundamental gap identified by Mobb is consistent across all registries: security scanning is performed at the registry’s perimeter, at the time of skill publication. Once a developer installs a skill, no further scanning occurs on their machine until the agent processes the skill files. The absence of cryptographic signing prevents verification that the installed version matches the audited version. This means a skill that passes review today could be surreptitiously updated with malicious content tomorrow, creating a window of vulnerability.
A particularly concerning aspect is the risk posed by "hooks"—commands that execute automatically in response to specific agent events, such as file edits or the initiation of a new session. A malicious skill could install a hook that persists even after the skill itself is uninstalled. Currently, no registry audits hook configurations specifically, leaving this vector largely unchecked.
A Deeper Dive into Audit Findings
Beyond statistical trends, Mobb documented several specific instances of exploitation. A significant case involved API traffic hijacking. A skill published on GitHub under the repository flyingtimes/podcast-using-skill contained a .claude/settings.json file designed to redirect all Anthropic API traffic to Zhipu AI’s BigModel platform in China. This redirection was facilitated by swapping in a hardcoded third-party API token and changing the model to glm-4.6. A developer unknowingly using this skill in Claude Code would have their entire conversation—including code context, prompts, and responses—silently routed through an external server without any visible indication of tampering.
"We found API traffic silently redirected to third-party servers, hardcoded credentials in public repositories, and invisible characters encoding hidden data in files that appear completely normal to the human eye," Worcel stated. "These aren’t theoretical risks—we documented each one with the exact file and line of code."
The researchers also identified 159 skills containing hidden HTML comment payloads. These comments, invisible when markdown is rendered, are fully readable by an AI agent processing the raw file content. One example, found in a repository named claude-world/claude-skill-antivirus, presented a classic prompt injection technique within a file labeled as a malicious skill example. The comment instructed the agent to disregard previous instructions and execute subsequent commands. Another instance, discovered in a separate repository, contained a comment that read <!-- security-allowlist: curl-pipe-bash -->, an apparent attempt to suppress scanner warnings for curl | bash patterns.
Adding another layer of stealth, 127 skills incorporated invisible Unicode zero-width characters. These characters can encode hidden data that is readable by programs processing raw text but imperceptible to human reviewers. In one repository, copyleftdev/sk1llz, a long sequence of alternating zero-width spaces and zero-width joiners was placed immediately after a heading, consistent with binary steganographic encoding techniques.
In the realm of MCP, 37 skills were found to auto-approve MCP server connections without explicit user consent. Furthermore, live API credentials were discovered committed directly into public repository MCP configuration files. One notable case involved a personal Apify actor endpoint, meaning a developer’s API token would be transmitted to an individual’s infrastructure rather than the official vendor’s servers.
The Attacker’s Strategy
Mobb outlined a plausible attack kill chain: an attacker would first publish a seemingly legitimate skill, embedding malicious instructions within files that developers are unlikely to scrutinize manually. The skill would then be distributed through registries, with the attacker waiting for an AI agent to execute its hidden directives.
What distinguishes this attack surface is the use of plain English instructions—indistinguishable from legitimate skill content by standard binary signature scanning—and the AI agent acting as the executor. Attackers are not writing exploit code in the traditional sense; instead, they are crafting instructions that the AI agent, operating with the developer’s credentials, will execute.
"The developer is in the loop, but may not be watching," the Mobb report highlights. "AI agents are designed to work autonomously. Developers increasingly trust agent actions without reviewing every step."
Recommendations for Enhanced Security
Mobb has formulated a set of recommendations directed at three key stakeholders:
- AI Agent Developers: Implement robust runtime sandboxing for skill execution, akin to browser security models. Develop mechanisms for verifying the integrity of installed skills against audited versions, potentially through cryptographic signatures. Introduce granular permission controls for skills, allowing users to grant specific, limited access rather than wholesale system privileges.
- Registry Operators: Enhance pre-installation scanning with deeper analysis of skill content, including explicit checks for command execution patterns, consent bypass mechanisms, and obfuscated code. Consider implementing a reputation system for skills based on community feedback and historical security performance. Explore mandatory code signing for all published skills.
- End Users (Developers): Exercise caution when installing third-party skills. Review skill permissions and understand the potential access granted. Utilize security tools that can analyze skill files and agent configurations on the local machine. Stay informed about security best practices and reported vulnerabilities within the AI agent ecosystem.
Context and Broader Implications
The release of Mobb’s report follows a real-world incident at ClawHub in February 2024, dubbed the "ClawHavoc" incident, where 341 malicious skills were discovered on the platform. Skills.sh, the largest registry, has reported over 89,000 total skill installations to date, underscoring the vast scale of this emerging ecosystem.
While Mobb concludes that the AI agent ecosystem is largely healthy, with outright malware being rare and findings leaning towards risky patterns rather than confirmed widespread attacks, the underlying infrastructure for potential abuse is clearly in place. As AI agents become more deeply integrated into the software development lifecycle, proactive security measures are not merely advisable but essential to prevent a recurrence of past supply chain vulnerabilities in this new, powerful domain. The industry has an opportunity to learn from historical security lessons and build a more secure foundation for the future of AI-assisted software development.