#supply-chain — SkillSafe Blog

Security Apr 2, 2026 8 min read

ToxicSkills: What the First Large-Scale Agent Skill Audit Found

Snyk scanned 3,984 AI agent skills: 36% had security flaws, 534 critical issues, 76 active malware. What this means for developers installing skills.

Security Mar 31, 2026 12 min read

MCP Tool Poisoning: How Hidden Metadata Hijacks AI Agents

MCP tool descriptions are visible to your AI agent but hidden from you. Attackers embed instructions that hijack agent behavior and steal credentials.

Security Mar 29, 2026 9 min read

Langflow Exploited in 20 Hours: The AI Framework Attack Surface

Langflow's critical RCE was weaponized in 20 hours. Combined with new LangChain and LangGraph CVEs, AI framework infrastructure is under active attack.

Security Mar 28, 2026 7 min read

When Trusted Packages Turn Hostile: Cascading Supply Chain Attacks

TeamPCP compromises legitimate packages and cascades through the supply chain via stolen credentials. Why this attack pattern evades detection.

Security Mar 27, 2026 7 min read

You're Using Claude Code Skills. Do You Know What's in Them?

Claude Code skills can read files, run commands, and access credentials. What the skill ecosystem gets wrong about security — and how to protect yourself.

Security Mar 25, 2026 12 min read

LiteLLM's PyPI Backdoor: What It Means for the AI Skill Supply Chain

Attackers injected a credential stealer into litellm (95M downloads) via compromised CI/CD. What happened and why AI skills face the same threat.

Security Mar 9, 2026 14 min read

ClawHavoc: 1,184 Malicious Skills and Why Pre-Install Verification Matters

Post-mortem of ClawHavoc — the largest AI skill supply chain attack on record — and what it reveals about the limits of reactive security models.

Security Mar 9, 2026 12 min read

Why Scanning Architecture Matters: Comparing Skill Registry Security

Comparing install-time scanning, reactive moderation, and dual-side verification — and the supply chain attack vectors each security model misses.

Product Updates Feb 15, 2026 5 min read

Introducing SkillSafe: Why AI Coding Skills Need a Verified Registry

341 malicious AI skills were found on a major registry. SkillSafe scans before sharing, re-verifies on install, and blocks tampered code automatically.

Security Feb 10, 2026 4 min read

How Dual-Side Verification Protects Against Supply Chain Attacks

How SkillSafe dual-side verification works: publisher scans, consumer re-scans, and cryptographic tree hashes that detect tampering before install.