The week AI skill security became unavoidable
Three things happened in the same five-day window in March 2026 that made "trust your skills" no longer a defensible position.
March 17: Chainguard Agent Skills goes live. Chainguard — the company that brought container image verification to the DevOps mainstream — shipped a verified skill marketplace for AI agents. Their announcement cited the same statistic Snyk published in February: over 335 credential-leaking skills were found in OpenClaw's public ClawHub marketplace before takedown. Chainguard's solution is curation: a signed, audited catalog that only lists skills that passed their review process.
Same week: Lakera publishes the malicious skill ecosystem report. Their dataset documented 39 distinct malicious skills with 2,200+ payload variants — different obfuscation methods, different delivery vectors, same end goal: run arbitrary code inside a trusted agent session. The variants matter because they reveal an evasion strategy: if one payload signature gets blocked, 56 others exist. Point-in-time signature matching doesn't win this fight.
Same week: CrowdStrike names the post-install pattern. CrowdStrike's agentic threat research team coined "rugpull attack" for a specific failure mode: a skill passes initial inspection, gets installed and trusted, then a silent update swaps in malicious behavior. Their framing confirms what SkillShield's design was already built around — the problem is not just what you install, but what it becomes after installation.
Together, these three signals describe the same gap from three different directions: the market is aware of the risk, a funded player just validated it as a product category, and the threat model now has a name practitioners will search for.
What a rugpull attack actually looks like
A rugpull in the AI skill context follows a predictable pattern:
- Install phase: A skill is published with legitimate-looking functionality. It passes a basic metadata review. It gets listed in a marketplace. A developer installs it.
- Trust accumulation: The skill runs normally for days or weeks. It builds up permission grants, gets added to automation pipelines, is trusted by the agent runtime to handle sensitive tool calls.
- Swap phase: The skill's author (or a compromised account) pushes an update. The update changes a single function — often something deep in a dependency chain or in a rarely-executed code path.
- Execution: On the next invocation, the skill runs the new payload. By the time the behavior is noticed, the session may have already leaked credentials, exfiltrated memory, or issued API calls under the agent's identity.
CrowdStrike documented three distinct rugpull variants in their March 2026 research: dependency-level swaps (the malicious code enters through a nested package update), update-triggered activation (the payload sits inert until a specific version tag is present), and conditional execution (the payload only runs when certain environment variables or host fingerprints match, avoiding activation in sandboxed review environments).
The third variant is the hardest to catch with static analysis or pre-install review. It's designed to look clean until it's in your environment.
Why curated marketplaces don't fully solve this
Chainguard's launch is a meaningful step. A curated, signed catalog reduces the chance of installing a known-bad skill. But curation alone has three structural limits:
1. Curation is a snapshot. A skill that passes review at publication can change after it's in your environment. Chainguard's model, like npm's audit tooling, reviews what exists at a point in time — not what the skill will be six months from now.
2. Your existing installs aren't covered. If you installed skills before March 17, 2026, they didn't go through Chainguard's process. A curated marketplace protects new installs on that marketplace; it says nothing about the 40 skills you already have running.
3. Most enterprise teams won't use a single marketplace. Teams will pull skills from ClawHub, npm, GitHub, internal registries, and vendor-published packages. No single marketplace can audit all of them.
Curation and runtime scanning are complementary layers, not substitutes. Chainguard reduces the attack surface at install for their catalog. Continuous post-install scanning covers everything else.
What an actual audit looks like
Here's what a complete skill audit involves — independent of which tool you use:
Step 1: Enumerate installed skills.
Before you can audit, you need a complete inventory. This includes skills declared in your config files, skills installed as npm/pip packages, skills embedded in Docker images, and skills loaded dynamically at runtime. Many teams discover skills they didn't know were running during this step.
Step 2: Check skill identity against known registries.
A skill that claims to be skillshield-dev/[email protected] should match the signed hash in the registry it was published to. If the on-disk hash doesn't match the registry record, something changed outside of the official update process. This is the core check for detecting compromised or modified skills.
Step 3: Inspect capability declarations against actual runtime behavior.
A skill that declares it only needs read access to two specific tools shouldn't be making outbound HTTP calls or accessing filesystem paths. Behavioral drift between declared capabilities and observed calls is an early indicator of post-install modification.
Step 4: Check for known payload patterns across the dependency tree.
Lakera's 2,200+ variant dataset means signature matching alone won't catch everything, but it will catch the lazy implementations. A scan against known-bad payload patterns across the full dependency tree — not just the top-level skill — catches the majority of cases in the wild.
Step 5: Establish a drift baseline and monitor continuously.
The rugpull attack only works if the swap goes unnoticed. Setting a cryptographic baseline for each installed skill and running diffs against that baseline on each update catches swaps before they execute.
The query cluster that's forming now
Based on community threads and search data from the last 7 days, the following query clusters are currently unowned:
how to audit AI agent skills— no dedicated result exists; answers are buried in generic AI security postsAI skill security scanner— mostly landing on generic tool pages, not practitioner guidesMCP rugpull attack— CrowdStrike's own post plus two news articles, no how-to contentAI agent tool drift detection— zero owned pages matching the exact phrasemalicious skill detector— thin results, no authoritative practitioner resource
This content addresses all five with specifics. The window is open because the vocabulary was only formally introduced this week.
The bottom line
A curated marketplace is a filter at the front door. It matters. But it doesn't audit what you installed last month, it doesn't watch for post-install drift, and it doesn't cover every source your team pulls from.
The threat model CrowdStrike named this week — the rugpull — is a post-install problem by definition. The defenses that match that threat model are also post-install: continuous scanning, behavioral drift detection, and cryptographic verification that runs every time a skill is invoked, not just at installation.
That's the audit layer Chainguard's launch confirms the market is ready to pay for.
Sources: Chainguard Agent Skills launch announcement | Lakera malicious skill ecosystem report | CrowdStrike rugpull attack research | Snyk OpenClaw credential leaks research