Agent ScanSkill Inspector
Our analysis of nearly 4,000 agent skills across major marketplaces uncovered credential theft, backdoor installation, and data exfiltration hidden in publicly available skills.
We are providing Agent Scan's Skill Inspector as a tool to the community so anyone can check both for malicious skills and for security vulnerabilities in their skills before installing them.
Skill Inspector
Scan with the CLI
Use Snyk's mcp-scan CLI to scan agent skills and MCP servers directly on your machine. It auto-discovers agents, MCP servers, and skills across Claude Code/Desktop, Cursor, Gemini CLI, and Windsurf.
To get started, run this command:
The CLI allows you to scan your agent's supply chain in a local or enterprise environment:
Discovery and supply chain scanning across your agent deployments by scanning agents, MCP servers, and skills, detecting prompt injection, tool poisoning, cross-origin escalation, and toxic flows.
Support for MDM-based deployment of Agent Scan with full observability on Snyk's EVO platform. Contact us to get started with enterprise rollout.
Learn about Skill Security
Agent skills can come with many security risks. Our research has shown recurring issues such as prompt injection, malicious code, secret exposure, and risky external dependencies are common in the wild. We identify the following common risks:
Hidden or deceptive instructions outside of the stated purpose of the skill.
Detects hidden instructions in obfuscated formats (base64, Unicode, other languages), "ignore previous instruction" statements, system message impersonation, and data exfiltration attempts. 91% of confirmed malicious skills employ prompt injection techniques.
Backdoors, data exfiltration, RCE, and supply chain attacks in skill scripts and code.
Detects credential theft patterns in scripts, typosquatted package names, executables requiring elevated privileges, and malware installation patterns. 100% of confirmed malicious skills contain malicious code patterns.
Downloads from potentially malicious sources that could distribute malware.
Detects downloads from unknown or untrusted domains, GitHub releases from unfamiliar users, ZIP archives with passwords, and external platform links requesting untrusted software installation.
Insecure handling of sensitive credentials that could lead to exfiltration.
Detects instructions to echo or print API keys, embedding credentials in generated commands, requesting users to share secrets in outputs, and insecure credential storage patterns.
Hardcoded secrets, API keys, and credentials embedded directly in skill files.
Detects hardcoded API keys, embedded passwords, authentication tokens, private keys, and encrypted archive passwords that may be accidentally leaked or deliberately embedded.
Skills that fetch and process untrusted third-party content, enabling indirect prompt injection.
Detects web fetching from public sources, reading user-generated content, cloning external repositories, and processing external API responses as instructions. Creates a significant attack surface for indirect prompt injection.
External URLs and dependencies that could control agent behavior at runtime.
Detects runtime script downloads (curl | bash patterns), dynamic imports from external URLs, configuration files fetched from remote servers, and auto-update mechanisms with remote endpoints. A published skill may appear benign during review, but an attacker can modify behavior at runtime.
Skills with direct access to financial accounts, trading platforms, or payment systems.
Detects skills operating cryptocurrency, analyzing recurring payments, direct access to bank accounts, and trading platform automation. While not inherently malicious, skills with financial access warrant extra scrutiny.
Skills that prompt the agent to compromise the security or integrity of the user's machine.
Detects modifications to systemctl service files, critical system files, security configurations, installation of persistent backdoor programs, and disabling of security measures.