Introducing SkillSafe: Why AI Coding Skills Need a Verified Registry

In January 2026, security researchers found 341 malicious skills on a popular AI agent registry. One of them — bundled with Atomic Stealer malware — had been downloaded over 7,700 times before anyone noticed. The skills looked legitimate. They passed no security scan because there was none to pass.

This is the state of AI skill distribution today.

Skills have a supply chain problem

AI agents like Claude Code, Cursor, Windsurf, Codex, Gemini, and OpenCode are becoming the primary way developers write software. Skills extend these tools with specialized capabilities — deployment workflows, code review checklists, framework scaffolding, API integrations.

But the way skills get shared looks a lot like the early days of npm, before lockfiles and audit existed. Authors publish to open registries or share raw GitHub URLs. Consumers install with no scanning, no integrity verification, and no way to confirm that what they downloaded matches what the author actually published.

The surface area is real. A skill can contain arbitrary code that runs inside your development environment — the same environment that has access to your source code, credentials, and file system. A malicious skill doesn’t need a sophisticated exploit. It just needs subprocess.run() and a URL.

What SkillSafe does

SkillSafe is a skill registry with verification built into the protocol, not bolted on after the fact.

The core mechanism is dual-side verification:

1. The publisher scans their skill locally before sharing. The scanner runs AST-based static analysis and produces a structured report along with a SHA-256 tree hash of the entire archive.
2. The consumer downloads the skill and independently re-scans it. This produces a second report and tree hash from their side.
3. The server compares both reports. If the tree hashes don’t match — meaning even a single byte was changed between publish and install — installation is blocked automatically.

This isn’t trust-the-publisher verification. Both sides scan independently, and the server validates that they agree.

How it works

Setup takes one message to your AI agent:

Install skillsafe from https://skillsafe.ai/skill.md

Your AI tool reads the skill definition, downloads the SkillSafe client, and configures it. The client is a single Python file with zero external dependencies — no pip install, no virtual environment, no build step.

From there, the workflow is straightforward:

# Authenticate (opens browser for Google Sign-In)
skillsafe auth

# Scan a skill directory for security issues
skillsafe scan ./my-skill

# Save privately to the registry (no scan required for private skills)
skillsafe save ./my-skill --version 1.0.0

# Share with a revocable link (requires scan report)
skillsafe share @myname/my-skill --version 1.0.0

# Install with automatic verification
skillsafe install @publisher/some-skill --version 1.0.0

Every install triggers a full re-scan on the consumer’s machine. The client submits its independent report to the server, which compares it against the publisher’s. You get one of three verdicts:

• Verified — tree hashes match, findings are consistent. Safe to use.
• Divergent — tree hashes match but findings differ (e.g., scanner version mismatch). Proceed with caution.
• Critical — tree hashes don’t match. The archive was tampered with. Installation is blocked.

What makes this different

Dual-side verification, not trust-the-publisher. Most registries scan once at upload and then trust the result forever. SkillSafe makes the consumer an independent verifier. If the archive changes between publish and install — whether from a compromised server, a man-in-the-middle, or a malicious update — the consumer’s scan catches it.

Save-first, share-second. Skills are private by default. You can save unlimited versions to the registry with no email verification and no scan report required. Sharing is a separate, opt-in step that creates revocable, expirable links. This keeps the adoption friction near zero while enforcing security gates where they matter — at the point of distribution.

Single Python file, zero dependencies. The entire client is one file: skillsafe.py. Standard library only, Python 3.8+. It works offline for scanning, doesn’t require internet access until you want to save or share, and runs anywhere Python runs. No extension marketplace, no IDE plugin, no platform lock-in.

Immutable version history. Once a version is saved, it can’t be overwritten. New content requires a new version number. This gives every skill a complete, auditable history — you can always trace back to what was published and when.

What we scan for

The scanner runs multiple passes over every file in a skill archive:

• Command injection — AST parsing for subprocess, os.system, eval, exec, child_process, and shell execution patterns
• Data exfiltration — outbound HTTP requests, DNS lookups, environment variable access that sends data externally
• Obfuscation — base64-encoded payloads, encoded strings that decode to executable code, suspicious entropy patterns
• Secrets — hardcoded AWS keys, GitHub tokens, private keys, and other credentials detected via pattern and entropy analysis
• Prompt injection — heuristic pattern matching in Markdown files for jailbreak attempts and instruction override patterns

Each finding is severity-rated (critical, high, medium, low, info) and included in the structured scan report that feeds into the verification comparison.

Get started

Send this to Claude Code, Cursor, Windsurf, Codex, Gemini, OpenCode, or any AI agent that supports skills:

Install skillsafe from https://skillsafe.ai/skill.md

The setup takes about 30 seconds. From there you can scan your first skill, save it to the registry, and optionally share it with verified links.

Read the full documentation for CLI reference and API details, or check out the security model for a deeper look at how verification works under the hood.