26% of AI skills contain vulnerabilities. 5% are likely malicious. And most developers install them in Claude Code, Cursor, and Codex without any audit. According to Liu et al. (arXiv:2601.10338, January 2026), who analyzed 31,132 skills, 26.1% present vulnerabilities and 5.2% show likely malicious intent. NVIDIA cites this study in the SkillSpector README — the numbers come from the research, not from NVIDIA. We have been tracking this ecosystem since the beginning and the signal is clear: the problem is structural, not a tooling issue.
The skills ecosystem is the new npm
Developers install skills in Claude Code, Cursor, and Codex the same way they installed npm packages in 2015 — no audit, no verification, no threat model. The difference is one of magnitude: an npm package steals credentials. An AI skill steals credentials AND instructs the agent to act on your behalf. A compromised agent accesses your data, executes commands in your environment, and can escalate privileges within your CI/CD pipeline.
According to Liu et al. (arXiv:2601.10338), of the 31,132 skills analyzed, 8,124 contained vulnerabilities and 1,619 showed likely malicious intent. These numbers come from academic research — NVIDIA cites the study, it did not produce it. The ecosystem is growing exponentially and the attack surface grows with it.
Trail of Bits proved that scanners can be bypassed
Trail of Bits demonstrated four techniques that bypass all existing skill scanners. Three were built in under 1 hour:
- Whitespace inflation: 100K newlines hide the payload below the limit the scanner reads. The scanner truncates analysis before reaching the malicious code.
- Bytecode .pyc: compiled bytecode is invisible to text-based static analysis. The scanner sees a harmless file; the runtime executes the payload.
- .docx indirection: a malicious script embedded in the XML ZIP of a .docx document. The scanner evaluates the document; the agent executes the embedded script.
- Prompt injection against the LLM scanner: social engineering applied to the verifier itself. The semantic scanner is an LLM — and LLMs are vulnerable to prompt injection. The attacker convinces the scanner that the code is safe.
These techniques are not theoretical. They are practical, quick to implement, and effective against the entire class of static scanners.
SkillSpector — the best static scanner available
According to the NVIDIA repository on GitHub, SkillSpector (10.7K stars, Apache 2.0, March 2026) uses a two-stage pipeline: static analysis with regex, AST, YARA, and OSV.dev, followed by optional semantic evaluation via LLM. It detects 68 patterns across 17 categories: prompt injection, anti-refusal, exfiltration, privilege escalation, supply chain, excessive agency, system prompt leakage, memory poisoning, tool misuse, rogue agent, trigger abuse, behavioral AST, taint tracking, YARA signatures, MCP least privilege, and MCP tool poisoning. It generates SARIF output for CI/CD integration.
It is the most comprehensive scanner that exists for pre-installation skill analysis. And it does not solve the problem.
SkillSpector limitations
According to NVIDIA, SkillSpector cannot scan binary or encrypted code. According to Trail of Bits, .pyc bypasses this class of scanner. The LLM semantic pass is vulnerable to the same social engineering it tries to detect — an LLM-based scanner that evaluates code via prompt injection is, by definition, susceptible to prompt injection.
The most rigorous scanner in the world does not protect against what changes after inspection.
The AIR experiment — the time-bomb URL
According to the AIR experiment, a fake skill called Stitch SDK passed ALL existing skill scanners, including NVIDIA's. The technique is simple: the skill points to a legitimate URL during scanning. After distribution, the URL is swapped to malicious content. AIR reports that 26K agents were reached. Since AIR has a commercial interest in this result, treat this number with caution.
The time-bomb URL attack is the clearest demonstration of the structural flaw: it does not matter how good the scanner is if what it verified can change after verification. npm never solved this problem. The AI ecosystem has the same flaw with greater consequences.
The structural flaw — scan once, trust forever
The problem is not the quality of scanners. It is the trust model. Scanners verify the package once. Skills point to external URLs that change after verification. The trust model needs to shift from scan once and trust forever to verify continuously while executing.
This means runtime monitoring: intercept network calls from the skill, monitor filesystem and sensitive API access, alert on behavioral deviations from the baseline established during the initial scan. It means periodic re-verification: re-scan skills at regular intervals, validate that referenced URLs point to the same content as the original scan, automatically revoke skills whose content has changed since the last verification.
At Tech86, we implement verifiable security for AI deployments. We do not believe in one-time scanning — we believe in continuous verification. If your organization is adopting AI skills without runtime monitoring, you are repeating the mistakes of npm in 2015 with greater consequences. We can help change that.