Skip to content
// Intelligence Report

State of Agent Skill Security

Public research report generated from a snapshot scan of multiple registries. Snapshot: 4/24/2026, 7:08:58 PM

All numbers are deduplicated — each skill counted once across registries, using the latest scan. Live registry numbers update continuously. View Live Stats → | Browse the Registry →

2,673

Unique Skills Scanned

53

Rejected

2,073

High Findings

41.8%

Certified

Download MarkdownDownload Stats JSONDownload Updates JSON
Full Report
Rendered from data/report.md · v0.8.0

State of Agent Skill Security (April 24, 2026)

We scanned 2,674 successful marketplace listings across public skill registries and found 2,673 unique skills after deduplication.

AgentVerus Scanner v0.8.0 | April 24, 2026

Update history: /report-updates.json

Methodology Note — Deduplication

This report starts from raw listings, not a pre-cleaned corpus. Successful scans are deduplicated by content hash first and canonical URL second, so mirrors and duplicate source listings do not inflate the published totals.

Executive Summary

The public skill ecosystem is substantially larger than the historical February 2026 website snapshot, and the current scanner is materially stricter around capability-contract mismatches, authenticated workflows, and browser-session handling. The important improvement in this refresh is not just new counts. It is the publication pipeline itself: the website report now comes from a fresh full rerun with explicit cross-source deduplication instead of a stale historical file.

How to read the badge shift versus February 2026. The February report showed 95.5% CERTIFIED using scanner v0.4.0. This report shows 41.8% CERTIFIED using scanner v0.8.0. That movement is almost entirely driven by scanner calibration — v0.5–v0.8 added capability-contract matching (nine of the top fifteen findings are contract mismatches), evasion detection, and tightened behavioral/content scoring. The same skill scanned in February would often drop a tier today because its declared manifest does not match the behavior the scanner now infers. Treat this as a stricter yardstick, not a regressing ecosystem.

What We Scanned

  • ClawHub: 0 unique skills from 0 current listings. Note: ClawHub's public /api/v1/skills listing endpoint returned zero entries throughout this run; individual downloads continue to work, and live user scans of ClawHub-hosted skills continue to flow into AgentVerus from the web and API. The zero here reflects a discovery-API gap, not an empty marketplace.
  • skills.sh: 2,673 unique skills not already represented by higher-priority sources (4,000 sitemap entries, 2,674 scanned, 120 failures)
  • Unique total: 2,673 skills after deduplication by content hash and canonical URL

Key Numbers

Metric Count Percentage
🟢 CERTIFIED 1,118 41.8%
🟡 CONDITIONAL 1,320 49.4%
🟠 SUSPICIOUS 182 6.8%
🔴 REJECTED 53 2.0%
Total unique skills 2,673 100%

Most Common Findings

# Finding Occurrences Severity
1 No explicit safety boundaries 1,785 LOW
2 Unknown external reference 1,705 LOW
3 Capability contract mismatch: inferred network access is not declared 1,449 MEDIUM
4 Capability contract mismatch: inferred command execution is not declared 1,339 HIGH
5 Capability contract mismatch: inferred file read is not declared 1,102 MEDIUM
6 Capability contract mismatch: inferred documentation ingestion is not declared 1,035 MEDIUM
7 Safety boundaries defined 627 INFO
8 Capability contract mismatch: inferred file write is not declared 507 MEDIUM
9 Unknown external reference 499 MEDIUM
10 Capability contract mismatch: inferred package bootstrap is not declared 444 MEDIUM
11 Error handling instructions present 434 INFO
12 Output constraints defined 421 INFO
13 Missing or insufficient description 317 LOW
14 Package bootstrap execution detected (inside code block) 276 MEDIUM
15 High-risk workflow lacks explicit safety boundaries 261 MEDIUM

Lowest-Scoring Skills

Skill Score Badge Top Issue Primary Source
apify-actor-development 15 REJECTED Download-and-execute pattern detected skillssh
apify-actorization 22 REJECTED Download-and-execute pattern detected skillssh
main 23 REJECTED Environment variable access + network send (credential harvesting) skillssh
openclaw-control-center 29 REJECTED Environment variable access + network send (credential harvesting) skillssh
fullstack-dev 30 REJECTED Environment variable access + network send (credential harvesting) skillssh
paperclip-ai-orchestration 31 REJECTED Environment variable access + network send (credential harvesting) skillssh
voicebox-voice-synthesis 35 REJECTED Environment variable access + network send (credential harvesting) skillssh
shopify-hydrogen 42 REJECTED Capability contract mismatch: inferred command execution is not declared skillssh
portless 49 REJECTED Capability contract mismatch: inferred credential access is not declared skillssh
browser-testing-with-devtools 52 REJECTED Direct instruction override detected skillssh

Methodology

  • ClawHub entries were fetched from the public marketplace API and scanned via bundle downloads.
  • skills.sh entries were fetched from the sitemap, resolved to raw GitHub SKILL.md URLs, then scanned.
  • Successful scan results were deduplicated by sha256 content hash and canonical URL before badge counts were published.
  • When the same skill appeared in multiple sources, report provenance preferred ClawHub over skills.sh and the registries over supplemental GitHub discovery.

Expanded Discovery

Outside the two baseline registries, we also ran a supplemental public GitHub discovery pass. That scan found 4,308 net-new unique skills after deduplicating against the baseline report.

This report was generated from a fresh v0.8.0 rerun on April 24, 2026.

Snapshot Status

The full report body above is the latest published snapshot. Older runs and supplemental snapshots are listed below so the website reflects report work even when the long-form ecosystem body has not been re-promoted yet.

Current Body
Scanner v0.8.0
Apr 24, 2026
Published Body
Published full cross-registry snapshot
Cross-registry deduplicated snapshot · 2,673 scanned
Latest Snapshot
Public GitHub discovery snapshot
Scanner v0.8.0 · Apr 24, 2026
Latest Scanner Update
Full Registry Refresh and Source Expansion
Scanner v0.8.0 · Apr 24, 2026
Published Snapshots
From data/report-snapshots.json

Scanner v0.8.0

Public GitHub discovery snapshot

Supplemental public GitHub discovery · 4,308 / 5,692 scanned · 0 failures

Supplemental snapshot measuring net-new public GitHub skills found outside the two baseline registries after canonicalization and deduplication.

Open SnapshotMarkdownSummary JSON

Scanner v0.8.0

Published full cross-registry snapshot

Cross-registry deduplicated snapshot · 2,673 / 2,673 scanned · 120 failures

Fresh full-marketplace rerun using scanner v0.8.0 across ClawHub and skills.sh, promoted as the canonical /report body. ClawHub's public listing API returned zero entries during this run so baseline counts reflect skills.sh coverage only.

Open SnapshotMarkdownSummary JSON

Scanner v0.6.1

skills.sh full registry summary

Registry summary snapshot · 2,186 / 2,260 scanned · 74 failures

Full skills.sh scan promoted as a summary snapshot so newer report work is visible on the website.

Open SnapshotMarkdownSummary JSON

Scanner v0.6.1

ClawHub popular top 500 snapshot

Popularity-limited subset snapshot · 366 / 500 scanned · 134 failures

Partial ClawHub run using scanner v0.6.1 across the 500 most popular listings.

Open SnapshotMarkdownSummary JSON

Scanner v0.4.0

Published full cross-registry snapshot

Cross-registry deduplicated snapshot · 4,686 / 4,686 scanned · 0 failures

Archived website report body from the previously published full snapshot.

Open SnapshotMarkdownSummary JSON
Report Update History
From data/report-updates.json

Scanner v0.8.0

Full Registry Refresh and Source Expansion

The public report was rebuilt from a fresh v0.8.0 full-marketplace scan, with canonical URL normalization, content-hash deduplication, and a supplemental public GitHub discovery pass. ClawHub's public listing API returned zero entries during collection, so this refresh is skills.sh- and GitHub-dominant; ClawHub coverage continues to flow in through live user scans and the existing database.

  • +Replaced the stale v0.4.0 website report body with a new cross-registry snapshot using scanner v0.8.0.
  • +Added canonical URL plus content-hash deduplication so cross-source mirrors collapse before aggregate counts are published.
  • +Published a supplemental GitHub discovery snapshot showing net-new public skills found outside the baseline registries.

Scanner v0.6.2

Browser/Auth Coverage and Dedup Cleanup

Scanner coverage expanded again around browser-session reuse, auth-heavy skill patterns, and cleaner merged finding output.

  • +Broadened browser workflow and authenticated-session inference, including profile reuse, remote browser delegation, and local-service patterns.
  • +Expanded auth/dependency coverage for credential-bearing query parameters, persistent credential stores, and browser-auth handoff flows.
  • +Deduplicated overlapping auth, cookie, session, dependency, and permission-contract findings into cleaner rendered summaries.

Scanner v0.6.1

Lifecycle False-Negative Fixes

Lifecycle-script coverage was hardened to close bypasses in docs-context handling and JSONC package snippets.

  • +Reclassified `Usage` headings so lifecycle hooks there retain normal risk scoring.
  • +Added JSONC-aware lifecycle script extraction for fenced `jsonc` package snippets.
  • +Restored `Demo`/`Output` headings as documentation contexts to avoid benign-example penalties.

Scanner v0.6.0

Lifecycle, Capability Contracts, and SBOM

Scanner coverage expanded with lifecycle-hook detection, capability-contract mismatch findings, and CycloneDX SBOM output.

  • +Added lifecycle script scanning in embedded package snippets with critical-path detection for dangerous install hooks.
  • +Introduced capability-contract mismatch findings for undeclared inferred behaviors.
  • +Shipped SBOM generation support and registry/report updates for the expanded scanner output.

Scanner v0.5.0

Code Safety Category Added

Scoring expanded from five to six categories, with a dedicated Code Safety analyzer for embedded code blocks.

  • +Added code-safety scoring and persisted code_safety_score in scan results.
  • +Backfilled historical scan rows so report consumers can compare code safety over time.
  • +Updated API schemas, docs, and trust report UI to surface the sixth category and ASST-11 alignment.

Scanner v0.4.0

Detection Coverage Expanded

The scanner added multiple high-signal detections, improving threat coverage at the cost of slightly stricter scoring.

  • +Added Unicode steganography and indirect prompt-injection detection.
  • +Added coercive tool-priority override and trigger-hijacking detection.
  • +Added binary artifact detection for packaged ELF/PE/Mach-O payloads.

Scanner v0.1.0

Initial Public Baseline

First public report baseline for registry-wide trust scoring and ASST taxonomy classification.

  • +Published initial scoring model and badge tiers.
  • +Established baseline metrics for certified, suspicious, and rejected skill rates.
  • +Introduced public aggregate stats for repeatable trend comparisons.