Skip to main content
Security

Every skill scanned against 51 patterns

We scan every published skill against a curated catalog of attack patterns drawn from the OWASP LLM Top 10, the Lakera and garak prompt-injection corpora, and known SKILL.md attacks (file-system escape, exfiltration, instruction override). Every pattern below is auditable by you, the people who install our skills.

51

Total patterns

34

High severity

16

Medium severity

1

Informational

How scoring works

Every match deducts from a 100-point baseline.

Each skill starts at 100. Error-severity matches deduct 15 points, warning matches deduct 5, and informational matches deduct 1. The final score maps to a letter grade: A (≥ 90), B (80-89), C (70-79), D (50-69), F (< 50). The grade and score are published on every skill page; the full findings are visible to the skill author and site admins.

Where the patterns come from

Curated from the public attack-research record.

Patterns are drawn from the OWASP Top 10 for LLM Applications, the Lakera prompt-injection corpus, the garak red-teaming framework, and case studies of malicious SKILL.md files reported in 2025-2026. We add patterns conservatively, every new pattern must pass a true-negative test against the existing catalog before shipping.

OWASP AST alignment

Mapped to the OWASP Agentic Skills Top 10.

The OWASP Agentic Skills Top 10 (AST) is the industry standard for classifying security risks specific to AI agent skill files — distinct from general LLM risks. Every pattern in our scanner is mapped below to its AST category.

AST01Malicious Skill Injection

Skills embedding malware, unauthorized file-system access, shell execution, or container escape.

Shell / OS abuseCommand injectionContainer escapeFile-system escape
Full

AST02Prompt Injection via Skill

Skill body contains instructions designed to override the agent's system prompt or hijack its goals.

Prompt injection
Full

AST03Excessive Agency

Skill claims or grants permissions beyond its stated scope — privilege escalation, unrestricted tool use.

LLM-specific (OWASP LLM Top 10)Privilege escalation
Full

AST04Sensitive Data Disclosure

Skill exfiltrates user data, leaks credentials, or transmits sensitive information to external endpoints.

Data exfiltrationHardcoded secrets
Full

AST05Supply Chain Vulnerabilities

Skill depends on external resources (URLs, packages) that could be compromised or typosquatted.

Supply chainServer-side request forgery (SSRF)Unsafe deserialization
Full

AST06Insecure Configuration

Skill modifies security settings, disables safeguards, or injects SQL without sanitization.

Shell / OS abuseSQL injection
Partial

AST07Integrity Failures

Unsigned or obfuscated skill content that cannot be verified against a known-good state.

ObfuscationCryptographic signing (SLSA)
Full

AST08Logging Suppression

Skill silences or circumvents agent logging and monitoring — not detectable via static analysis.

N/A

AST09Denial of Service

Skill causes the agent to hang, loop indefinitely, or exhaust compute/memory resources.

N/A

AST10Composition Risks

Unsafe skill composition patterns — a chain of trusted skills that together produce malicious behaviour.

Supply chain
Partial

AST08 (Logging Suppression) and AST09 (Denial of Service) are runtime behaviors not detectable by static analysis. We document them here for completeness; they are out of scope for a pre-publish scanner.

Supply-chain provenance

You can verify every skill you install.

Static scanning catches malicious content inside a skill. Supply-chain provenance answers a different question: is this the exact skill you reviewed? We enforce three independent guarantees.

SLSA L1–L3

Cosign cryptographic signing

Every skill version published through skills-hub is signed using Sigstore Cosign and attested to a SLSA provenance tier. L1 confirms the skill was produced by our pipeline. L2 adds a tamper-evident build log. L3 (for verified publishers) uses a hardened, isolated build environment. The signature is verified on every CLI install — a skill whose signature doesn't match is rejected before it reaches your agent.

SHA-256

Content SHA integrity

At publish time, the SHA-256 hash of every skill’s instruction body is stored immutably in SkillVersion.contentHash. The CLI lockfile (.skills.json) records this hash at install time and re-verifies it on every subsequent install. If the skill’s content has changed since you first installed it, the CLI warns you before applying the update.

90+ repos

Verified source origin

Skills imported directly from a verified GitHub repository carry a blue verified badge. Verified sources are curated manually — we check that the repository belongs to the claimed publisher and has not been renamed or transferred. Over 90 skill sources are currently verified. Skills from unverified sources still pass security scanning, but the absence of a verified badge is a signal to inspect the author carefully.

The full catalog

All 51 patterns, grouped by category.

Prompt injection (6)

  • Prompt injection

    Instructions contain prompt injection attempts that try to override safety rules

    prompt_injection

    error (−15)
  • Jailbreak suffix

    Instructions contain known LLM jailbreak phrases (DAN, developer mode, pretend-evil)

    prompt_injection_jailbreak_suffix

    error (−15)
  • Instruction-override marker

    Instructions contain markers used to inject a fake system prompt (im_start, ###system###)

    prompt_injection_instruction_override

    error (−15)
  • System prompt extraction

    Instructions try to extract the host system prompt or hidden context

    system_prompt_leak

    warning (−5)
  • Role hijack

    Instructions attempt to redefine the assistant's role or remove its constraints

    prompt_injection_role_hijack

    warning (−5)
  • Hidden injection marker

    Instructions contain hidden control markers commonly used in prompt-injection payloads

    prompt_injection_hidden_marker

    warning (−5)

LLM-specific (OWASP LLM Top 10) (4)

  • BYOK / key extraction

    Instructions try to extract bring-your-own-key API keys or access tokens

    llm_byok_extraction

    error (−15)
  • Environment variable extraction

    Instructions ask the agent to read or output environment variables

    llm_env_var_extraction

    error (−15)
  • Attacker-controlled domain

    Instructions reference sending data to attacker-controlled placeholder domains

    llm_attacker_domain

    error (−15)
  • Tool-output smuggling (markdown image exfil)

    Instructions try to coerce markdown image tags that exfiltrate data via the URL query string

    llm_tool_output_smuggling

    error (−15)

Data exfiltration (5)

  • Data exfiltration

    Instructions appear to exfiltrate sensitive data to external services

    data_exfiltration

    error (−15)
  • Environment variable exfiltration

    Instructions dump environment variables to external destinations

    env_dumping

    error (−15)
  • Suspicious external URLs

    Instructions send data to IP addresses or known data collection services

    suspicious_urls

    error (−15)
  • data: URI payload

    Instructions embed a data: URI carrying executable HTML or JavaScript

    data_uri_payload

    warning (−5)
  • Suspicious POST with sensitive payload

    Instructions POST cookies, localStorage, env, or secrets to an external endpoint

    suspicious_post_to_external

    error (−15)

Hardcoded secrets (9)

  • Hardcoded AWS credentials

    Instructions contain what appears to be an AWS access key or secret key

    hardcoded_aws_key

    error (−15)
  • Hardcoded GitHub token

    Instructions contain what appears to be a GitHub personal access token

    hardcoded_github_token

    error (−15)
  • Hardcoded Stripe secret key

    Instructions contain what appears to be a live Stripe secret key

    hardcoded_stripe_key

    error (−15)
  • Hardcoded secret value

    Instructions contain a hardcoded secret, password, or API key value

    hardcoded_generic_secret

    error (−15)
  • Hardcoded OpenAI API key

    Instructions contain what appears to be an OpenAI API key (sk-...)

    hardcoded_openai_key

    error (−15)
  • Hardcoded Anthropic API key

    Instructions contain what appears to be an Anthropic API key (sk-ant-...)

    hardcoded_anthropic_key

    error (−15)
  • Hardcoded Slack webhook

    Instructions contain a Slack incoming-webhook URL — leak vector if posted publicly

    hardcoded_slack_webhook

    warning (−5)
  • Hardcoded Google API key

    Instructions contain what appears to be a Google API key (AIza...)

    hardcoded_google_api_key

    error (−15)
  • Private key block

    Instructions contain a PEM-encoded private key (RSA, EC, OPENSSH, PGP)

    private_key_block

    error (−15)

Command injection (5)

  • Unsafe eval() usage

    Instructions use eval() which can execute arbitrary code

    unsafe_eval

    error (−15)
  • Function constructor

    Instructions use `new Function(...)` which dynamically evaluates strings as code

    function_constructor

    error (−15)
  • setTimeout/setInterval with string arg

    Instructions pass a string to setTimeout or setInterval, which is evaluated as code

    set_timeout_string

    warning (−5)
  • child_process with user input

    Instructions concatenate user input into child_process.exec/spawn (command injection)

    child_process_user_input

    error (−15)
  • subprocess with shell=True

    Instructions invoke subprocess with shell=True, which is unsafe with untrusted input

    python_subprocess_shell_true

    warning (−5)

File-system escape (6)

  • Sensitive file access

    Instructions access sensitive system files (passwords, SSH keys, credentials)

    sensitive_file_access

    warning (−5)
  • Unrestricted file system write

    Instructions write to system directories outside project scope

    unrestricted_fs_write

    error (−15)
  • Path traversal

    Instructions contain path traversal sequences (../../) that could escape sandboxes

    path_traversal

    error (−15)
  • Sensitive system file reference

    Instructions reference /etc/passwd, /etc/shadow, /etc/hosts, or /etc/sudoers

    fs_escape_etc_passwd

    warning (−5)
  • SSH private key path

    Instructions reference SSH private key paths (~/.ssh/id_rsa, authorized_keys)

    fs_escape_ssh_keys

    error (−15)
  • AWS credentials file path

    Instructions reference the local AWS credentials file path

    fs_escape_aws_credentials

    error (−15)

Server-side request forgery (SSRF) (5)

  • Requests to arbitrary IPs

    Instructions make HTTP requests to raw IP addresses instead of domain names

    arbitrary_ip_requests

    warning (−5)
  • Internal network / metadata access

    Instructions reference localhost, link-local, or cloud metadata endpoints

    dns_rebinding

    warning (−5)
  • SSRF to localhost

    Instructions issue HTTP requests to localhost / 0.0.0.0 / IPv6 loopback

    ssrf_localhost_url

    warning (−5)
  • AWS IMDS endpoint

    Instructions reference the AWS Instance Metadata Service (169.254.169.254) — a classic SSRF target

    ssrf_aws_imds

    error (−15)
  • Private CIDR reference

    Instructions reference RFC1918 private network ranges (10/8, 192.168/16, 172.16/12)

    ssrf_private_cidr

    info (−1)

Shell / OS abuse (3)

  • Destructive shell commands

    Instructions contain destructive shell patterns (pipe to shell, rm -rf /, disk overwrite)

    shell_injection

    error (−15)
  • Cryptocurrency mining

    Instructions reference cryptocurrency mining tools or pools

    crypto_mining

    error (−15)
  • Reverse shell

    Instructions contain reverse shell patterns that could give remote access

    reverse_shell

    error (−15)

SQL injection (1)

  • SQL injection patterns

    Instructions contain SQL injection patterns (string interpolation in queries, tautologies)

    sql_injection

    error (−15)

Unsafe deserialization (1)

  • Unsafe deserialization

    Instructions use unsafe deserialization (pickle, yaml.load without SafeLoader)

    unsafe_deserialization

    error (−15)

Obfuscation (2)

  • Obfuscated commands

    Instructions contain base64-encoded commands piped to shell execution

    obfuscated_commands

    error (−15)
  • Long base64 blob in decoder

    Instructions contain a base64 blob >100 chars passed to a decoder (atob/Buffer.from), suggesting hidden payload

    long_base64_blob

    warning (−5)

Supply chain (1)

  • Dependency confusion risk

    Instructions install packages from non-standard registries (potential typosquatting)

    dependency_confusion

    warning (−5)

Privilege escalation (2)

  • Security bypass

    Instructions disable security features or escalate privileges

    disable_security

    warning (−5)
  • Privilege escalation

    Instructions attempt to escalate system privileges

    privilege_escalation

    warning (−5)

Container escape (1)

  • Container escape attempt

    Instructions contain patterns that could escape container sandboxes

    container_escape

    error (−15)
Found something?

Report a vulnerability or a missing pattern.

If you discover a skill that should have been flagged, or you have a pattern proposal grounded in primary research, email security@skills-hub.ai. We re-grade the entire catalog whenever the pattern set changes.