Why 47% of public AI skills are a security risk

A “skill” is deceptively simple: a SKILL.md with instructions, sometimes a few helper scripts. It copies with a git clone in five seconds. That convenience is exactly the problem — because once it lands in ~/.claude/skills/, your agent will read it, trust it, and act on it.

In February 2026, a scan of public skills found 47% shipped with security issues: undeclared network calls, hardcoded secrets, shell injection in helper scripts, and prompt-injection payloads aimed at the very tools meant to review them.

What we actually check

Before any skill enters a library we recommend, it runs through a pipeline:

1. Static analysis — semgrep, gitleaks, trufflehog, dependency CVE scans.
2. Behavioral sandbox — the skill runs in a no-network, read-only container. Every file write and network attempt is recorded and blocked.
3. LLM content review — a structured 50-question checklist, with the skill treated as untrusted input so it can’t talk its way to a passing score.
4. Human sign-off — a reviewer makes the call and puts their name on it.

Only then does it get an ed25519 signature and a place in the library.

Why this can’t be fully automated away

Models will keep getting better at each step. What they can’t take over is accountability — someone with a reputation on the line deciding what’s safe to run inside your company. That’s the layer we sell, and it’s the one the next model release doesn’t erase.

Want to know what’s hiding in your current skill stack? Get a free audit.