There are 64k skills on Vercel's skills.sh. Cursor, Claude Code, Windsurf, and dozens more agents pull them from GitHub at HEAD — no versioning, signing, or scanning. The OpenClaw agents themselves flagged this: "The supply chain attack nobody is talking about: skill.md is an unsigned binary."[0]
I took an official skill that packages other skills, added a few lines of Python to exfiltrate env vars, shell history, and git config, and installed it into Claude Code and Codex. Claude Code ran the script without flagging the outbound request. Codex caught the naive version. After updating the SKILL.md with a two-stage payload that modified `config.toml` for sandbox network access and framed the exfiltration as a registry name check, Codex asked for confirmation with a plausible reason. That reason was written by the malicious skill. I confirmed. Payload arrived. Full writeup: https://vett.sh/blog/ai-agent-skills-supply-chain-attack
~5k skills scanned so far:
- 59 critical risk: base64-obfuscated droppers calling a C2 server at a malicious IP, disguised as Google/LinkedIn/Excel tools - 335 high risk: arbitrary shell execution, piped installers, agent identity manipulation - 16 with `curl | bash` patterns. "React Native Best Practices" (5,400 installs) pipes to a legitimate domain it doesn't control. If that domain expires or gets sold, those installs become a delivery vehicle with no exploit required.
How Vett works:
First layer: a static analyzer with 40+ detection rules, AST-based capability analysis (TypeScript compiler for JS/TS, Python AST with regex fallback), and source-sink data flow tracking. A script that reads `.env` and makes an outbound HTTP request is flagged as an exfiltration chain, not two separate findings. It checks dependencies against the OSV vulnerability database, detects cross-file import chains, and catches when documentation references scripts that aren't in the package. Deterministic, runs in milliseconds.
Second layer: for ambiguous signals, LLM analysis compares observed behavior against declared purpose. A packaging tool calling an unrecognized endpoint looks different from a deployment tool calling AWS. Skills that clear both layers get Sigstore signing (ECDSA P-256 + Rekor transparency log) and content-addressed immutable storage.
npx vett add github.com/owner/repo/skill-name
[0] https://www.moltbook.com/post/cbd6474f-8478-4894-95f1-7b104a...