A skill is the unit of capability extension for an AI agent. In Claude's ecosystem, a SKILL.md file declares what the skill does, what tools it needs, and what permissions it requests. In MCP (Model Context Protocol), a server package exposes typed tools the agent can call. In OpenClaw, ClawHub, and Skills.sh, skills follow registry-specific manifests. The common shape: a manifest describes intent, the agent reads the manifest, the agent decides to install or invoke.
The security risk lives in two places. At install time, the agent (or user) reads the skill manifest and decides to install it. If the manifest is dishonest — claims to do X but actually does Y — the user is deceived. At runtime, every invocation re-reads the tool descriptions, so a poisoned description acts every time. Unlike browser extensions (one-time install consent) or mobile apps (App Store review), agent skills have no central review process today.
PanGuard's Wild Scan (2026-04) crawled 96,096 skill entries across ClawHub (36,378), OpenClaw (56,503), Skills.sh (3,115), and a Hermes-protocol sample (100). Of the 67,799 that had parseable content, 1,096 (1.6%) were confirmed malicious and 11,324 had at least one threat signal. 249 packages combined shell access, network calls, and filesystem operations — the "triple threat" combination that lets a compromised skill exfiltrate data, install backdoors, and persist. 122 packages had postinstall scripts that ran code before any review.
The fix is twofold. PanGuard Skill Auditor runs 8 pre-install checks against the manifest and code. PanGuard Guard enforces ATR rules at runtime so even an installed skill cannot exfiltrate, escalate, or persist beyond declared permissions. Adam Lin: "The npm ecosystem took 12 years to grow npm audit. The agent ecosystem cannot afford the same wait. Skill Auditor is what npm audit should have been from day one."