Agent SkillsTrust

Security

How skills are scanned — and why auditing third-party skills like untrusted software is the default.

Anthropic officially documents that third-party skills should be treated like untrusted software: they can carry prompt-injection, data-exfiltration, and arbitrary code paths. A scan of 3,984 public skills found 36.8% had a security flaw and 13.4% a critical one. So we scan ours and publish the result.

No security findings· skill-lint + static scan + prompt-injection lint

Skills are plain-Markdown instructions plus, at most, a stdlib-only Python script with no network calls — the class of artifact that audits clean.

Scanned 2026-07.

What the scan covers

  • Bundled scripts — static scan for network exfiltration and credential reads outside the declared scope.
  • Instruction text — prompt-injection lint on the SKILL.md body.
  • Spec validation — the same structural checker that keeps the skill loadable.

What you don't have to buy

Baseline skill security scanning is commoditized and free — Snyk ships a self-serve scanner and registries auto-scan public skills. We don't sell auditing. The attestation above is a product attribute of our skills, not a service: proof our own line is clean, published alongside the evals and changelog.