RESEARCH 21 March 2026 5 min read

The 25% Problem: Why Most AI Agent Skills Have Hidden Vulnerabilities

SkillShield Research Team

Security Research

Published: March 21, 2026 Target: skillshield.dev/blog Slug: the-25-percent-problem-ai-agent-skills-vulnerabilities Keywords: AI agent skills vulnerability, prompt injection AI 2026, AI agent security scanner, MCP server vulnerabilities, AI skill vulnerability checker Category: SECURITY One in four AI agent skills has at least one security vulnerability.

That's the finding from analysis of over 30,000 skills across major registries. 25% of the skills developers are installing — running with access to their file systems, API keys, and development environments — contain vulnerabilities that could be exploited.

The number gets worse when you look at the broader landscape. 73% of production AI systems remain vulnerable to prompt injection, the attack class that OWASP ranked as the top LLM security risk. Prompt injection is also the primary delivery mechanism for the most dangerous skill-level attacks: tool poisoning, goal hijacking, and credential exfiltration.

These aren't theoretical risks. They're measured rates in production systems that developers are running right now.

What the 25% Actually Looks Like

Not every vulnerability is the same. The 25% breaks down into categories that map to real attack patterns:

Prompt Injection in Tool Descriptions

The most common finding. Tool descriptions — the text that tells an AI agent what a tool does — can contain hidden instructions that redirect the agent's behavior. A skill that says it "summarizes web pages" might include a description that instructs the agent to also exfiltrate the content to an external URL.

This is subtle because the skill's code might be completely clean. The attack lives in the metadata, not the implementation. Traditional code scanners miss it entirely.

Over-Permissioned Access

Skills that request broader permissions than their function requires. A calendar integration that asks for filesystem write access. A text formatting tool that requests network permissions. A code linter that wants access to environment variables.

Each unnecessary permission is an attack surface. If a skill is compromised through any vector — prompt injection, dependency poisoning, update hijacking — the blast radius is determined by its permissions. A skill with minimal permissions can be compromised but can't do much. A skill with filesystem + network + shell access can exfiltrate anything on the machine.

Hard-Coded Secrets

API keys, tokens, and credentials embedded directly in skill definition files. This is the simplest vulnerability class but surprisingly persistent. Developers hard-code credentials during development and forget to remove them before publishing. The credentials then sit in a public registry, accessible to anyone who downloads the skill.

Supply Chain Poisoning

Skills that impersonate trusted packages through typosquatting, or legitimate skills whose dependencies have been compromised. The ClawHavoc campaign demonstrated this at scale — 341 malicious skills distributed through ClawHub using names designed to look like popular packages.

Why 73% of Systems Are Still Vulnerable

Prompt injection has been the documented #1 AI vulnerability since OWASP first published the LLM Top 10. Two years later, 73% of production systems remain vulnerable.

The persistence isn't because developers don't care. It's structural:

Detection is hard. Prompt injection doesn't look like traditional malware. It's natural language text that instructs the AI to do something unintended. There's no binary signature, no known-bad hash, no CVE to patch. Detecting it requires understanding what the text means, not just what it contains.

The attack surface keeps expanding. Every new tool, plugin, MCP server, and skill your agent connects to is a new injection surface. The agent reads the tool description. The description is user-controllable content from a third-party registry. The agent trusts it.

Runtime defenses are incomplete. Prompt guards and input filtering help, but they operate on the input side. Supply chain attacks bypass input filtering entirely — the malicious instructions come from the tool itself, not from user input.

What This Means for Your Stack

If you're running AI agents with any of the following, the 25% statistic applies to you:

  • MCP servers from public registries
  • ClawHub skills that haven't been audited
  • Third-party plugins for agent frameworks (LangChain, CrewAI, AutoGPT)
  • Custom tools built by your team without security review

The question isn't whether you have vulnerable skills. At a 25% rate, if you're using more than four skills, statistically at least one of them has a finding.

The Fix: Scan Before You Install

The vulnerability rate drops dramatically when skills are scanned before installation. SkillShield has scanned 33,746 AI extensions across six registries and blocked 533 malicious entries — a 99.8% detection rate.

The scanning process checks for:

  • Prompt injection in tool descriptions and skill metadata
  • Over-permissioned access patterns relative to stated function
  • Hard-coded secrets in definitions and configurations
  • Supply chain indicators — typosquatting, suspicious dependencies, known malicious signatures
  • Dangerous code patterns — eval, exec, shell invocation, path traversal

Three ways to check:

1. Browse the scored directory

33,746 extensions pre-scanned. Check any skill's security status before you download it.

Browse the directory

2. Scan locally

npm install -g skillshield
skillshield scan ./SKILL.md

Run the CLI against any skill definition on your machine. Results include specific findings with severity and remediation guidance.

3. Scan MCP servers

skillshield.dev/mcp — free, instant scans for MCP servers specifically.

Don't Be a Statistic

25% of skills have vulnerabilities. 73% of AI systems are exposed to prompt injection. These numbers only matter if your stack is in them.

One scan takes less time than reading this article. Check your skills before they become someone else's access point.

Scan now — free, no signup

Sources: Analysis of 30,000+ AI agent skills across major registries; USCS Institute, "What Is AI Agent Security" (2026); Dev.to practitioner coverage on prompt injection rates; National CIO Review, "Security in 2026: New Ways Attackers Are Exploiting AI Systems."

Catch risky skills before they run.

SkillShield scans skills, MCP servers, and prompt-bearing tool surfaces before they reach production.

Get early access

Share this article

Share on X Share on LinkedIn
Back to all articles