Safeguard
Tag

agent-skills

Safeguard articles tagged "agent-skills" — guides, analysis, and best practices for software supply chain and application security.

6 articles

AI Security

A Reproducible Rubric for Measuring Prompt-Injection Risk in Agent Skills

OWASP has ranked prompt injection the #1 LLM risk for two straight editions, yet almost no one scores agent skill packages for it consistently. Here's a rubric.

Jul 9, 20266 min read
AI Security

Auditing AI agent skill registries for hardcoded keys

29M new hardcoded secrets hit public GitHub in 2025, up 34% YoY — and 3% of MCP servers in production carry hardcoded credentials as theft traps.

Jul 9, 20267 min read
AI Security

Why static scanners miss malicious AI agent skills

In April 2025, Invariant Labs showed a malicious MCP tool description could exfiltrate an SSH key — with zero suspicious code for a static scanner to flag.

Jul 8, 20266 min read
AI Security

Securing MCP Servers and Agent Skills in the Enterprise

MCP servers and agent skills give AI agents new power—and new attack surface. Here's how tool poisoning and rug-pull attacks work, and how to stop them.

May 14, 20267 min read
Agent Security

ToxicSkills: When Claude Skills Become a Malware Distribution Channel

Snyk's ToxicSkills research found prompt injection in 36% of Claude skills tested and 1,467 malicious payloads. The SKILL.md trust model is the structural issue.

Feb 4, 20267 min read
AI Security

Agent Skill Marketplaces as the Next Frontier for Supply ...

Agent skill marketplaces are repeating npm and PyPI's supply chain mistakes—except the malicious payload is often a sentence of instructions, not code. Here's what's already been exploited.

Jul 22, 20257 min read
agent-skills — Safeguard Blog