Skills.sh Security Report
Security analysis of 4,219 AI agent skills on Skills.sh, the community marketplace with full implementation details.
4,219
Total skills
4,114
Findings
32%
Skills with findings
97.3
Avg score
Overview
Skills.sh is the most mature AI agent skills marketplace we monitor. It hosts 4,219 skills, each defined by a SKILL.md file that contains full implementation details: system prompts, tool configurations, parameter schemas, and sometimes entire code blocks. This level of detail makes Skills.sh unique among registries. Developers publishing here tend to include everything an agent needs to operate, which means more useful skills but also more surface area for security issues.
The depth of content in Skills.sh definitions is a double-edged sword. Because SKILL.md files contain real code patterns and detailed instructions, Aguara's scanners find more material to analyze per skill than in registries that only expose metadata. This makes Skills.sh findings particularly meaningful. When we flag a prompt injection pattern here, it is embedded in actual implementation code, not a short marketing description.
How we scan Skills.sh
Aguara crawls Skills.sh by discovering skill listings through the registry's public API, then downloading each SKILL.md file directly. These files are plain Markdown with structured sections, so the scanner can parse them without extraction overhead. We run incremental crawls every 12 hours, comparing SHA-256 hashes of each file against previous versions. Only changed or new skills trigger a rescan.
The full Aguara rule engine (188 rules across 15 categories) runs against each SKILL.md. This includes pattern matching for known attack signatures, NLP analysis for semantic mismatches between stated purpose and actual instructions, and taint tracking for data flow patterns that suggest credential exfiltration. Because Skills.sh content is rich in instructional text, the NLP analyzers are particularly effective here.
Key findings
The most common finding category in Skills.sh is prompt injection. Skills with long, detailed definitions frequently contain text that addresses the agent directly with override-style language. Some of this is unintentional (developers writing instructions that read like system prompts), but a portion includes deliberate authority claims and delimiter injection patterns. The line between "helpful instruction" and "injection vector" is thin when the skill definition IS the instruction set.
Credential handling is another persistent issue. Skills that interact with APIs often include example configurations showing hardcoded tokens, or instruction text that tells the agent to read environment variables and include them in API calls. Aguara's taint tracker flags these data flow patterns because they create paths for credential exfiltration, even when the skill author's intent was benign.
We also see a notable number of permission escalation patterns. Skills requesting filesystem access, network capabilities, or shell execution without clear justification show up regularly. The Skills.sh format makes these easy to spot because the SKILL.md explicitly declares what the skill needs.
Recommendations
Before installing a skill from Skills.sh, read the full SKILL.md file. The detail that makes this registry valuable also makes manual review feasible. Look for instructions that address the agent in second person ("you should", "always include"), requests for broad permissions (filesystem, network, shell), and any mention of environment variables or credentials.
If you are publishing skills on Skills.sh, keep your definitions declarative. State what the capability does and what parameters it accepts. Avoid writing instructional paragraphs that could be misinterpreted as directives by an LLM. The scanner flags these patterns not because they are always malicious, but because an agent cannot distinguish between your helpful guidance and an attacker's injected instructions.
For automated protection, check the Aguara Watch dashboard before connecting any Skills.sh skill to your agent. Skills with a grade of C or below have multiple findings that warrant manual inspection. The detailed content in Skills.sh means our scanner can give you a more complete picture than for registries with less information density.
Grade distribution
Want to scan a specific Skills.sh skill?
Scan now (free, runs in your browser)