criticalSkill·May 14, 2026

AGS-2026-0006

ToxicSkills — 1,467 malicious payloads across 3,984 audited agent skills (Snyk)

What happened

Snyk's ToxicSkills study audited 3,984 agent skills from public registries (Claude Code, OpenClaw, ClawHub) and found:

36% contained prompt-injection patterns designed to coerce agent behavior.
1,467 distinct malicious payloads spread across the corpus.
2.9% of ClawHub skills (21% of malicious samples) dynamically fetch and execute remote content at runtime via patterns like curl https://… | source.

Attack patterns observed

Instruction-level attacks hidden in the middle of SKILL.md ("to ensure quality" / "for debugging purposes" / "required for compatibility").
Base64-decoded scripts piped to bash.
Installation of third-party system daemons.

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

References

https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/