agent-skills
Safeguard articles tagged "agent-skills" — guides, analysis, and best practices for software supply chain and application security.
6 articles
A Reproducible Rubric for Measuring Prompt-Injection Risk in Agent Skills
OWASP has ranked prompt injection the #1 LLM risk for two straight editions, yet almost no one scores agent skill packages for it consistently. Here's a rubric.
Auditing AI agent skill registries for hardcoded keys
29M new hardcoded secrets hit public GitHub in 2025, up 34% YoY — and 3% of MCP servers in production carry hardcoded credentials as theft traps.
Why static scanners miss malicious AI agent skills
In April 2025, Invariant Labs showed a malicious MCP tool description could exfiltrate an SSH key — with zero suspicious code for a static scanner to flag.
Securing MCP Servers and Agent Skills in the Enterprise
MCP servers and agent skills give AI agents new power—and new attack surface. Here's how tool poisoning and rug-pull attacks work, and how to stop them.
ToxicSkills: When Claude Skills Become a Malware Distribution Channel
Snyk's ToxicSkills research found prompt injection in 36% of Claude skills tested and 1,467 malicious payloads. The SKILL.md trust model is the structural issue.
Agent Skill Marketplaces as the Next Frontier for Supply ...
Agent skill marketplaces are repeating npm and PyPI's supply chain mistakes—except the malicious payload is often a sentence of instructions, not code. Here's what's already been exploited.