reddit.com via Reddit

Claude Skills Study Flags 26% Vulnerability Rate

anthropic agents cybersecurity security agents mcp

Key insights

  • 26.1% of 31,132 analyzed agent skills contained at least one security vulnerability spanning prompt injection, exfiltration, and privilege escalation.
  • Skills bundling executable scripts are 2.12 times more likely to carry vulnerabilities than instruction-only packages.
  • Data exfiltration (13.3%) and privilege escalation (11.8%) were the two most prevalent vulnerability types in the full corpus.

Why this matters

A 26% vulnerability rate across 31,000 production skills means most enterprise Claude Code deployments have almost certainly installed at least one compromised package without any detection. Privilege escalation and data exfiltration patterns embedded in skills create a direct pivot path from a compromised AI tool into broader organizational infrastructure, a threat vector most corporate security teams have not yet modeled or included in their attack surface assessments. The structural finding that script-bundling doubles vulnerability likelihood gives Anthropic a concrete, actionable policy lever, but the window to enforce it narrows as the skills ecosystem grows and entrenches.

Summary

A peer-reviewed analysis of 31,132 real-world agent skills found 26.1% contained at least one security vulnerability. Data exfiltration (13.3%) and privilege escalation (11.8%) were the most common patterns, with prompt injection and supply-chain compromise rounding out the threat surface. The study, drawn from arXiv paper 2601.10338 and surfaced via r/ClaudeAI, found skills bundling executable scripts were 2.12 times more likely to be vulnerable than instruction-only packages, flagging the script-bundling model itself as a structural risk rather than an edge case. Essentially: (Claude Code users, arXiv security researchers) are now reckoning with an unvetted skills marketplace at scale. - Script-bundling is the single highest-risk structural pattern the study identified. - The Reddit post included a practical pre-install checklist, triggering a first-time audit wave among practitioners. The skills distribution model is operating without the security scanning infrastructure that npm and PyPI spent years building after their own supply-chain crises.

Potential risks and opportunities

Risks

  • Claude Code enterprise users who installed skills before this audit surfaced face undetected data exfiltration that may have already exposed internal API keys, proprietary system prompts, or sensitive context
  • Anthropic faces regulatory and reputational exposure if a documented privilege escalation via a published skill leads to a confirmed breach at an enterprise customer within the next 90 days
  • If Anthropic launches a formal skills marketplace without mandatory pre-publication scanning, it inherits this vulnerability baseline at launch and becomes liable for vetting failures at scale

Opportunities

  • AI supply-chain security vendors (Snyk, Socket.dev, Endor Labs) can target Claude Code's practitioner base with skills-scanning tooling adapted directly from their existing package-registry audit pipelines
  • Anthropic can differentiate its enterprise tier by launching a verified-skills certification program with mandatory static analysis before publication, creating a trust signal competitors lack
  • AI security consultancies (Trail of Bits, NCC Group) gain a well-scoped audit offering to pitch enterprises already running Claude Code in production, with the arXiv study as a ready-made risk justification

What we don't know yet

  • Whether Anthropic has reviewed the arXiv 2601.10338 findings and has any mandatory security scanning planned for the Claude Code skills distribution channel
  • Whether the flagged vulnerabilities represent deliberate insertion by malicious publishers or developer negligence; the study surfaces patterns but does not distinguish intent
  • Which specific skill publishers or categories account for the highest concentration of the 26.1% vulnerable packages in the 31,132-skill corpus

Originally reported by reddit.com

Read the original article →

Original headline: r/ClaudeAI: 1-in-4 Agent Skills Contained Security Vulnerabilities in Analysis of 31,132 Real Skills — Prompt Injection, Exfiltration, Privilege Escalation