Agent skills are the new install surface.
That is good for speed. It is also a supply-chain problem: a skill can ship steps that shell out, touch files, or pull remote content.
This guide is a practical security checklist for people who install and ship skills - not a fear pitch.
Kill the default approach
Default: npx something cool and trust the README stars.
What breaks first: postinstall scripts, silent network calls, skills that treat the web as instructions, and credentials in context.
By the end you will have
- A threat model for skills vs packages vs MCP
- The Skill Trust Gate magnet (pre-install + pre-publish)
- Provenance and privilege rules
- Failure modes
- What to do when a skill looks wrong
Skills are procedures with power
A skill is usually markdown (and sometimes scripts) that tells an agent how to use tools.
| Surface | Risk shape |
|---|---|
| Package manager | Lifecycle scripts, dependency graph |
| Skill file | Instructions that expand into tool calls |
| MCP / tools | Capabilities the skill assumes |
Treat skills like runbooks with teeth.
Public analyses of community skill corpora have found a non-trivial share of skills with security issues. Use that as a reason to gate, not to invent exact percentages for your stack.
Magnet: Skill Trust Gate
Name: Skill Trust Gate
A. Before you install a third-party skill
[ ] Author is known or repo is inspectable
[ ] Read the full SKILL.md (or equivalent)
[ ] No curl|bash, unexplained downloads, or "disable security"
[ ] Tool needs listed: shell, network, browser, secrets
[ ] Test in a throwaway directory / worktree first
[ ] No request for mainnet keys, seed phrases, or wallet connectB. Before you publish your own skill
[ ] No secrets, tokens, or private URLs
[ ] Lifecycle scripts reviewed or disabled
[ ] Permissions documented in README
[ ] Untrusted web/X content treated as DATA, never as instructions
[ ] Chain skills: devnet/sim defaults only
[ ] One-liner install matches docsYou should see: one third-party skill installed only after Gate A, and one of your skills published only after Gate B - with a written "what it can touch" note.
Privilege rules that scale
- Least privilege - skills that need shell get it; others do not.
- Pin versions when registries allow it.
- Separate machine for high-risk experiments if you can.
- Revoke fast - delete skill, rotate keys if anything odd ran.
- Never put mainnet keys in agent context "just for this skill."
How to review a skill file quickly
Skim for:
rm -rf,curl | sh,eval, hidden base64- Paths outside the project (
~/.ssh, keychains) - "Ignore previous instructions" style prompt injection
- Auto-commit / auto-push / auto-publish
- Requests to paste secrets into chat
If the skill needs network, ask: to where, and why?
Failure modes
| Anti-pattern | Cost |
|---|---|
| Stars-as-trust | Fake or rented attention |
| Install without reading | Silent shell |
| Skill as root on laptop | Full compromise path |
| Shipping skills with postinstall surprises | User harm + reputation |
| Treating scraped web text as commands | Prompt injection |
When not to install skills at all
- You cannot isolate the environment
- The skill requires mainnet authority
- Author is anonymous and the skill is huge
- You only need a 5-line prompt once
Path options
| Path | When |
|---|---|
| Solo OS hygiene | Agent OS for solo developers |
| Skills craft | Claude Code skills guide |
| Control-plane patterns | OSS · LACP / Mission Control |
| Hands-on setup | Agent OS Setup |
Bottom line
Speed is fine. Blind install is not.
Your next action: run Skill Trust Gate on the last skill you installed - pass Gate A, or remove it today.