Skip to content

Latest commit

 

History

History
73 lines (57 loc) · 3.53 KB

snyk-toxicskills-evaluation.md

File metadata and controls

73 lines (57 loc) · 3.53 KB

Resource Evaluation: Snyk ToxicSkills — Malicious AI Agent Skills Audit

Field Value
Resource Snyk ToxicSkills Blog
Type Security research + open-source tool
Published 2026-02-05
Relayed by Victor Langlois (LinkedIn)
Score 4/5 (High Value)
Action Integrated — enriched security-hardening.md (CVE, stats, new section §1.5)

Summary

Snyk scanned 3,984 AI agent skills across ClawHub and skills.sh marketplaces, finding:

  1. 36.82% (1,467 skills) contain security flaws
  2. 534 skills flagged critical (malware, prompt injection, exposed secrets)
  3. 76 malicious payloads identified (credential theft, backdoors, data exfiltration — 8 still active on ClawHub at publication)
  4. 10.9% of ClawHub skills contain hardcoded secrets
  5. 2.9% fetch and execute remote content dynamically
  6. mcp-scan: open-source tool achieving 90-100% recall on confirmed malicious skills, 0% false positives on top-100 legitimate skills

Gap Analysis

Topic Before (guide) After
Supply chain stats 8-14% (SafeDep) 36.82% (Snyk, 3,984 skills corpus)
Audit tools skills-ref validate + mcp-scan (Snyk)
Attack categories Generic (injection, exfil, privesc) 8 detailed policies (hardcoded secrets, remote prompt exec, malicious downloads)
.claude/ attack vector 1-line mention (line 199) Full section §1.5 with checklist
Malicious hooks/commands Not covered Documented with audit checklist
Recent CVEs 5 CVEs (2025) + CVE-2026-24052, CVE-2025-66032

Fact-Check

Claim Verified Source
3,984 skills scanned Yes Snyk blog
36.82% with flaws (1,467/3,984) Yes Snyk blog
534 critical Yes Snyk blog (13.4% of total)
76 malicious payloads Yes Snyk blog (8 still active on ClawHub)
mcp-scan 90-100% recall Yes Snyk blog (0% FP on top-100 legit)
"91% combine injection + code" Not verified LinkedIn post stat, not in Snyk blog. Excluded from integration.
CVE-2026-24052 (SSRF Claude Code) Yes SentinelOne vulnerability database
CVE-2025-66032 (8 bypasses) Yes Flatt Security research

Score Justification

4/5 (High Value) — not 5/5 because:

  • The guide already covers ~70% of the scope (security-hardening.md §1.1-1.4)
  • This is an enrichment (updated stats, new tool, new section), not a gap-from-scratch
  • Snyk stats are more recent and larger corpus than existing SafeDep data
  • mcp-scan fills a concrete tooling gap
  • The .claude/ attack surface section addresses a real blind spot

Integration Plan

  1. §1.1 CVE Summary: +2 CVEs (CVE-2026-24052, CVE-2025-66032)
  2. §1.2 Supply Chain: Replace SafeDep stats with Snyk (larger corpus), add mcp-scan
  3. MCP Safe List: Add mcp-scan entry
  4. New §1.5: Malicious Extensions (.claude/ Attack Surface) with audit checklist
  5. reference.yaml: Add entries for new sections

References