Security 7 min read

You're Using Claude Code Skills. Do You Know What's in Them?

Claude Code skills can read files, run commands, and access credentials. What the skill ecosystem gets wrong about security — and how to protect yourself.

#claude-code#supply-chain#skill-security#verification#mcp#connectors#plugins

Claude Code is one of the most capable AI agents available right now. Skills — reusable instruction sets that extend what Claude Code can do — are a big part of why. There are skills for code review, deployment workflows, API integrations, test generation, documentation, and dozens of other tasks.

Most people install them without thinking twice.

That’s the problem.

What a skill actually is

A Claude Code skill is a set of instructions loaded into your agent’s context. On the surface, it looks like a markdown file — readable, portable, easy to share. But skills can do a lot more than display text.

A skill can instruct your agent to:

  • Read files anywhere on your filesystem
  • Execute shell commands
  • Make outbound network requests
  • Access environment variables, including API keys and credentials
  • Modify source code

This isn’t a vulnerability in Claude Code — it’s how powerful AI agents work. The agent has access to your environment because that’s what makes it useful. A skill that helps you deploy to production needs to run commands. A skill that integrates with an API needs credentials.

The surface area is real, and it runs deeper than most developers realize.

The current state of skill distribution

Right now, most Claude Code skills are shared via raw GitHub URLs, gist links, or open registries with no security review. The install flow looks something like:

Create skillsafe skill from https://github.com/someone/their-skill/blob/main/SKILL.md

Your agent fetches that URL and loads whatever is there. There is no scan. There is no integrity check. There is no guarantee that what you downloaded today is what was there yesterday — or that the repository hasn’t been compromised since you last used it.

This is the same threat model that plagued npm in its early years. A malicious skill doesn’t need a sophisticated exploit chain. It just needs to instruct your agent to exfiltrate your .env file or send your API keys to an attacker-controlled endpoint. The attack is as simple as the instruction.

The ClawHavoc campaign showed what happens next

In early 2026, security researchers confirmed 1,184+ malicious AI skills distributed across 12 compromised publisher accounts. The skills used ClickFix social engineering and Atomic Stealer payloads to steal credentials and exfiltrate data. Many of the skills looked legitimate — they were functional, had real descriptions, and had accumulated install counts that made them appear trustworthy.

The attack worked precisely because registries had no pre-publish scanning, no tamper detection, and no way for users to verify what they were installing.

What good skill security looks like

Protecting yourself as a Claude Code user comes down to three things:

1. Verify before you install

Don’t install skills from arbitrary GitHub URLs without reviewing the content first. Read the skill file. Understand what it instructs your agent to do. If the skill references external scripts or makes network calls, understand why.

2. Use a registry with pre-publish scanning

The key distinction is when scanning happens. A registry that scans at install time tells you the skill was clean when you downloaded it — it doesn’t tell you it’s the same file the publisher uploaded, or that it was reviewed before it was ever shared. Pre-publish scanning, combined with cryptographic tamper detection, closes both gaps.

3. Check for tamper detection

Even a skill that was clean at publish time can be modified in transit. A SHA-256 tree hash over the entire archive, stored at publish time and re-verified at download, makes tampering detectable. Without this, you’re trusting that nothing changed between when the author uploaded it and when you installed it.

Skills vs. MCP vs. Connectors vs. Plugins

If you’ve spent any time in the agent tooling space, you’ve encountered all four of these terms — sometimes used interchangeably, which causes real confusion. Here’s how they actually differ:

MCPConnectorPluginSkill
What it providesA set of callable tools for a specific scenarioA pre-built bridge to an external service or data sourceA packaged capability that extends the agent’s interface or feature setA complete solution — workflow, reasoning, and tool orchestration for a specific scenario
Core questionHow to connect?How to integrate?What can it do?What to do, why, and when?
Use whenYou need DB access, external APIs, file system ops, third-party service callsYou want turnkey integration with a known service (Slack, GitHub, Notion, Salesforce) without writing connection codeYou want to add a new UI surface, capability, or behavior to the agent’s base feature setMulti-step workflows, enforcing consistent processes, encoding domain expertise, preserving institutional knowledge
DefinesTool signatures and transport protocolAuth, schema mapping, and data flow between agent and serviceFeature boundary and interface contractStep-by-step execution plan with conditions and failure handling

The short version:

  • MCP gives a worker access to tools: a hammer, a wrench, scissors
  • Connector gives a worker a pre-configured workstation already wired to the factory floor
  • Plugin gives a worker a new skill module bolted onto their suit
  • Skill tells the worker when and how to use everything in the right sequence to complete a specific job

They’re complementary, not competing. A Skill can call tools exposed via MCP, use data piped in through a Connector, and run inside a host environment extended by a Plugin. The Skill is the orchestration layer on top.

This distinction matters for security. MCP servers, connectors, and plugins all expand the agent’s capabilities — but a malicious Skill is what directs those capabilities. A compromised Skill with access to an MCP server that has filesystem permissions is a full read/write/exfil pipeline. The Skill is where intent lives, which is why it’s also where the attack surface lives.

How SkillSafe approaches this

SkillSafe was built specifically to address the skill supply chain problem for Claude Code and other AI agents.

The verification model works in three steps:

  1. Publisher scans before sharing. Before a skill can be shared publicly, the author runs a full local scan. This produces a structured security report and a SHA-256 tree hash of the entire archive.

  2. Registry stores the hash. The tree hash is stored immutably alongside the scan report. Any change to any file in the skill — even a single byte — will break the hash.

  3. Consumer re-scans on install. When you install a skill, your client independently re-scans it. The server compares both reports. A hash mismatch means the archive changed between publish and download — you’ll see a warning and the divergence is logged. Separately, if either scan produces a critical verdict, the install is blocked automatically.

This is dual-side verification. It means you’re not just trusting the registry’s scan — you’re verifying the skill yourself, every time.

Getting started

Installing skills through SkillSafe takes the same amount of effort as installing them directly. Send this to Claude Code:

Create skillsafe skill from https://skillsafe.ai/skill.md

Claude Code reads the skill definition, downloads the SkillSafe client, and sets up verification automatically. From there, skillsafe install @publisher/skill-name downloads, re-scans, and verifies before anything runs.

Every shared skill in the SkillSafe registry has passed a pre-publish scan — scanning is required before a skill can be shared publicly. Tamper detection is on by default. Hash mismatches surface as warnings; critical scan verdicts block the install entirely — they don’t just flag and proceed anyway.

The bottom line

Skills are powerful. That’s the point. But power without verification is a liability, and the AI skill ecosystem is in the same place npm was a decade ago — before anyone took supply chain security seriously.

If you’re using Claude Code skills today, ask yourself: do you know what’s in them? Do you know they haven’t been modified since the author published them?

If the answer is no, that’s worth fixing. It takes about 30 seconds.

Related Articles

Security

How Dual-Side Verification Protects Against Supply Chain Attacks

How SkillSafe dual-side verification works: publisher scans, consumer re-scans, and cryptographic tree hashes that detect tampering before install.

 Security

MCP Tool Poisoning: How Hidden Metadata Hijacks AI Agents

MCP tool descriptions are visible to your AI agent but hidden from you. Attackers embed instructions that hijack agent behavior and steal credentials.

 Security

Why Scanning Architecture Matters: Comparing Skill Registry Security

Comparing install-time scanning, reactive moderation, and dual-side verification — and the supply chain attack vectors each security model misses.