Every skill scanned against 51 patterns
We scan every published skill against a curated catalog of attack patterns drawn from the OWASP LLM Top 10, the Lakera and garak prompt-injection corpora, and known SKILL.md attacks (file-system escape, exfiltration, instruction override). Every pattern below is auditable by you, the people who install our skills.
51
Total patterns
34
High severity
16
Medium severity
1
Informational
Every match deducts from a 100-point baseline.
Each skill starts at 100. Error-severity matches deduct 15 points, warning matches deduct 5, and informational matches deduct 1. The final score maps to a letter grade: A (≥ 90), B (80-89), C (70-79), D (50-69), F (< 50). The grade and score are published on every skill page; the full findings are visible to the skill author and site admins.
Curated from the public attack-research record.
Patterns are drawn from the OWASP Top 10 for LLM Applications, the Lakera prompt-injection corpus, the garak red-teaming framework, and case studies of malicious SKILL.md files reported in 2025-2026. We add patterns conservatively, every new pattern must pass a true-negative test against the existing catalog before shipping.
Mapped to the OWASP Agentic Skills Top 10.
The OWASP Agentic Skills Top 10 (AST) is the industry standard for classifying security risks specific to AI agent skill files — distinct from general LLM risks. Every pattern in our scanner is mapped below to its AST category.
AST01Malicious Skill Injection
Skills embedding malware, unauthorized file-system access, shell execution, or container escape.
AST02Prompt Injection via Skill
Skill body contains instructions designed to override the agent's system prompt or hijack its goals.
AST03Excessive Agency
Skill claims or grants permissions beyond its stated scope — privilege escalation, unrestricted tool use.
AST04Sensitive Data Disclosure
Skill exfiltrates user data, leaks credentials, or transmits sensitive information to external endpoints.
AST05Supply Chain Vulnerabilities
Skill depends on external resources (URLs, packages) that could be compromised or typosquatted.
AST06Insecure Configuration
Skill modifies security settings, disables safeguards, or injects SQL without sanitization.
AST07Integrity Failures
Unsigned or obfuscated skill content that cannot be verified against a known-good state.
AST08Logging Suppression
Skill silences or circumvents agent logging and monitoring — not detectable via static analysis.
AST09Denial of Service
Skill causes the agent to hang, loop indefinitely, or exhaust compute/memory resources.
AST10Composition Risks
Unsafe skill composition patterns — a chain of trusted skills that together produce malicious behaviour.
AST08 (Logging Suppression) and AST09 (Denial of Service) are runtime behaviors not detectable by static analysis. We document them here for completeness; they are out of scope for a pre-publish scanner.
You can verify every skill you install.
Static scanning catches malicious content inside a skill. Supply-chain provenance answers a different question: is this the exact skill you reviewed? We enforce three independent guarantees.
Cosign cryptographic signing
Every skill version published through skills-hub is signed using Sigstore Cosign and attested to a SLSA provenance tier. L1 confirms the skill was produced by our pipeline. L2 adds a tamper-evident build log. L3 (for verified publishers) uses a hardened, isolated build environment. The signature is verified on every CLI install — a skill whose signature doesn't match is rejected before it reaches your agent.
Content SHA integrity
At publish time, the SHA-256 hash of every skill’s instruction body is stored immutably in SkillVersion.contentHash. The CLI lockfile (.skills.json) records this hash at install time and re-verifies it on every subsequent install. If the skill’s content has changed since you first installed it, the CLI warns you before applying the update.
Verified source origin
Skills imported directly from a verified GitHub repository carry a blue verified badge. Verified sources are curated manually — we check that the repository belongs to the claimed publisher and has not been renamed or transferred. Over 90 skill sources are currently verified. Skills from unverified sources still pass security scanning, but the absence of a verified badge is a signal to inspect the author carefully.
All 51 patterns, grouped by category.
Prompt injection (6)
- error (−15)
Prompt injection
Instructions contain prompt injection attempts that try to override safety rules
prompt_injection
- error (−15)
Jailbreak suffix
Instructions contain known LLM jailbreak phrases (DAN, developer mode, pretend-evil)
prompt_injection_jailbreak_suffix
- error (−15)
Instruction-override marker
Instructions contain markers used to inject a fake system prompt (im_start, ###system###)
prompt_injection_instruction_override
- warning (−5)
System prompt extraction
Instructions try to extract the host system prompt or hidden context
system_prompt_leak
- warning (−5)
Role hijack
Instructions attempt to redefine the assistant's role or remove its constraints
prompt_injection_role_hijack
- warning (−5)
Hidden injection marker
Instructions contain hidden control markers commonly used in prompt-injection payloads
prompt_injection_hidden_marker
LLM-specific (OWASP LLM Top 10) (4)
- error (−15)
BYOK / key extraction
Instructions try to extract bring-your-own-key API keys or access tokens
llm_byok_extraction
- error (−15)
Environment variable extraction
Instructions ask the agent to read or output environment variables
llm_env_var_extraction
- error (−15)
Attacker-controlled domain
Instructions reference sending data to attacker-controlled placeholder domains
llm_attacker_domain
- error (−15)
Tool-output smuggling (markdown image exfil)
Instructions try to coerce markdown image tags that exfiltrate data via the URL query string
llm_tool_output_smuggling
Data exfiltration (5)
- error (−15)
Data exfiltration
Instructions appear to exfiltrate sensitive data to external services
data_exfiltration
- error (−15)
Environment variable exfiltration
Instructions dump environment variables to external destinations
env_dumping
- error (−15)
Suspicious external URLs
Instructions send data to IP addresses or known data collection services
suspicious_urls
- warning (−5)
data: URI payload
Instructions embed a data: URI carrying executable HTML or JavaScript
data_uri_payload
- error (−15)
Suspicious POST with sensitive payload
Instructions POST cookies, localStorage, env, or secrets to an external endpoint
suspicious_post_to_external
Hardcoded secrets (9)
- error (−15)
Hardcoded AWS credentials
Instructions contain what appears to be an AWS access key or secret key
hardcoded_aws_key
- error (−15)
Hardcoded GitHub token
Instructions contain what appears to be a GitHub personal access token
hardcoded_github_token
- error (−15)
Hardcoded Stripe secret key
Instructions contain what appears to be a live Stripe secret key
hardcoded_stripe_key
- error (−15)
Hardcoded secret value
Instructions contain a hardcoded secret, password, or API key value
hardcoded_generic_secret
- error (−15)
Hardcoded OpenAI API key
Instructions contain what appears to be an OpenAI API key (sk-...)
hardcoded_openai_key
- error (−15)
Hardcoded Anthropic API key
Instructions contain what appears to be an Anthropic API key (sk-ant-...)
hardcoded_anthropic_key
- warning (−5)
Hardcoded Slack webhook
Instructions contain a Slack incoming-webhook URL — leak vector if posted publicly
hardcoded_slack_webhook
- error (−15)
Hardcoded Google API key
Instructions contain what appears to be a Google API key (AIza...)
hardcoded_google_api_key
- error (−15)
Private key block
Instructions contain a PEM-encoded private key (RSA, EC, OPENSSH, PGP)
private_key_block
Command injection (5)
- error (−15)
Unsafe eval() usage
Instructions use eval() which can execute arbitrary code
unsafe_eval
- error (−15)
Function constructor
Instructions use `new Function(...)` which dynamically evaluates strings as code
function_constructor
- warning (−5)
setTimeout/setInterval with string arg
Instructions pass a string to setTimeout or setInterval, which is evaluated as code
set_timeout_string
- error (−15)
child_process with user input
Instructions concatenate user input into child_process.exec/spawn (command injection)
child_process_user_input
- warning (−5)
subprocess with shell=True
Instructions invoke subprocess with shell=True, which is unsafe with untrusted input
python_subprocess_shell_true
File-system escape (6)
- warning (−5)
Sensitive file access
Instructions access sensitive system files (passwords, SSH keys, credentials)
sensitive_file_access
- error (−15)
Unrestricted file system write
Instructions write to system directories outside project scope
unrestricted_fs_write
- error (−15)
Path traversal
Instructions contain path traversal sequences (../../) that could escape sandboxes
path_traversal
- warning (−5)
Sensitive system file reference
Instructions reference /etc/passwd, /etc/shadow, /etc/hosts, or /etc/sudoers
fs_escape_etc_passwd
- error (−15)
SSH private key path
Instructions reference SSH private key paths (~/.ssh/id_rsa, authorized_keys)
fs_escape_ssh_keys
- error (−15)
AWS credentials file path
Instructions reference the local AWS credentials file path
fs_escape_aws_credentials
Server-side request forgery (SSRF) (5)
- warning (−5)
Requests to arbitrary IPs
Instructions make HTTP requests to raw IP addresses instead of domain names
arbitrary_ip_requests
- warning (−5)
Internal network / metadata access
Instructions reference localhost, link-local, or cloud metadata endpoints
dns_rebinding
- warning (−5)
SSRF to localhost
Instructions issue HTTP requests to localhost / 0.0.0.0 / IPv6 loopback
ssrf_localhost_url
- error (−15)
AWS IMDS endpoint
Instructions reference the AWS Instance Metadata Service (169.254.169.254) — a classic SSRF target
ssrf_aws_imds
- info (−1)
Private CIDR reference
Instructions reference RFC1918 private network ranges (10/8, 192.168/16, 172.16/12)
ssrf_private_cidr
Shell / OS abuse (3)
- error (−15)
Destructive shell commands
Instructions contain destructive shell patterns (pipe to shell, rm -rf /, disk overwrite)
shell_injection
- error (−15)
Cryptocurrency mining
Instructions reference cryptocurrency mining tools or pools
crypto_mining
- error (−15)
Reverse shell
Instructions contain reverse shell patterns that could give remote access
reverse_shell
SQL injection (1)
- error (−15)
SQL injection patterns
Instructions contain SQL injection patterns (string interpolation in queries, tautologies)
sql_injection
Unsafe deserialization (1)
- error (−15)
Unsafe deserialization
Instructions use unsafe deserialization (pickle, yaml.load without SafeLoader)
unsafe_deserialization
Obfuscation (2)
- error (−15)
Obfuscated commands
Instructions contain base64-encoded commands piped to shell execution
obfuscated_commands
- warning (−5)
Long base64 blob in decoder
Instructions contain a base64 blob >100 chars passed to a decoder (atob/Buffer.from), suggesting hidden payload
long_base64_blob
Supply chain (1)
- warning (−5)
Dependency confusion risk
Instructions install packages from non-standard registries (potential typosquatting)
dependency_confusion
Privilege escalation (2)
- warning (−5)
Security bypass
Instructions disable security features or escalate privileges
disable_security
- warning (−5)
Privilege escalation
Instructions attempt to escalate system privileges
privilege_escalation
Container escape (1)
- error (−15)
Container escape attempt
Instructions contain patterns that could escape container sandboxes
container_escape
Report a vulnerability or a missing pattern.
If you discover a skill that should have been flagged, or you have a pattern proposal grounded in primary research, email security@skills-hub.ai. We re-grade the entire catalog whenever the pattern set changes.