Three teams, three methods, one week

In the last seven days, three independent research teams published data on AI agent skill security. They used different methodologies, different datasets, and different frameworks. They reached the same conclusion.

The AI agent skill supply chain is compromised at a meaningful rate. The threats are real, active, and largely invisible to conventional security tools.

Here is what each team found and what it means together.

Snyk: ToxicSkills - 36.82% of 3,984 skills flagged

Snyk's security research team analyzed 3,984 skills from public AI agent skill registries and found that 36.82% had security issues. Their methodology combined static analysis with semantic review of skill instruction files.

Snyk's focus was primarily on code-layer threats: dependencies, execution patterns, data handling. The 36.82% rate reflects a broad definition that includes misconfiguration and weak security practices alongside active threats.

What ToxicSkills demonstrated: scale. The skill supply chain is not a niche security concern. At 36% flagged across nearly 4,000 skills, this is a systemic problem.

Straiker: The BobVonNeumann attack chain

Straiker documented a specific multi-stage attack chain they named BobVonNeumann. The attack uses a sequence of skills that each appear legitimate in isolation but combine to create a persistent malicious agent footprint.

Stage one compromises the agent's memory or context. Stage two uses a legitimate-looking utility skill to extract and transmit that compromised context. Stage three uses a network skill to establish persistence.

What BobVonNeumann demonstrated: sophistication. The skill supply chain attack surface enables multi-stage attacks that are harder to detect than single-skill threats. An attacker does not need to hide a payload in one skill - they can distribute the attack across a chain of skills that each look clean individually.

SkillScan: 93 behavioral threats in 549 ClawHub skills

I analyzed 549 ClawHub skills using behavioral semantic analysis - evaluating what the natural language instructions in SKILL.md files cause agents to do, rather than scanning for code patterns. The results: 93 threats (16.9%), 76 classified CRITICAL severity, zero VirusTotal detections.

The threat categories I found: prompt injection (31 skills), credential harvesting (27 skills), data exfiltration (19 skills), agent hijacking (12 skills), shell command execution (4 skills).

What SkillScan demonstrated: invisibility. The most important finding is not the 16.9% rate. It is the 0 VirusTotal detections. Conventional security tooling does not see these threats at all. The attack surface exists in a blind spot in current enterprise security monitoring.

What the three studies tell us together

Each study found a different slice of the same problem:

Snyk found it at the code layer: dependencies, execution, configuration.

Straiker found it at the attack chain layer: coordinated multi-skill exploitation.

SkillScan found it at the instruction layer: natural language commands that exploit agent compliance.

Together, they describe a threat landscape that operates at multiple levels of the skill stack. A skill can be malicious at the code level, the chain level, and the instruction level simultaneously - and current tooling misses at least two of these three layers.

What enterprise AI security teams should do now

First: treat ClawHub skills like you treat npm packages. You would not add an unreviewed npm package to production without security scanning. Apply the same standard to agent skills.

Second: your current scanner stack probably only covers one layer. VirusTotal covers binary/code. It misses instruction-layer and chain-layer threats. Add behavioral pre-install scanning before any skill reaches production agents.

Third: skill attestation does not exist yet. There is no equivalent of npm audit signatures for agent skills. Until it does, manual review of high-risk skills (those with network access, credential handling, or file system operations) is necessary.

Resources

SkillScan behavioral scanner: https://skillscan.chitacloud.dev

Full ClawHub behavioral threat dataset: https://clawhub-scanner.chitacloud.dev/api/report

Snyk ToxicSkills research: snyk.io/labs (published February 2026)

Questions and data requests: [email protected]