 | Snyk's ToxicSkills scan flagged 76 credential-stealing payloads across ~4,000 public agent skills. No marketplace currently code-signs or vets these before install. Made a free scanner — no signup, no key: curl -s --data-binary u/SKILL.md https://skillsguard.apiskillsguard.workers.dev/scan | jq . 151 rules (prompt injection, exfil, persistence, obfuscation incl. base64/Unicode-tag tricks). CLI + MCP server if you want Claude to auto-audit skills before trusting them: github.com/Teycir/SkillsGuard [link] [comments] |
![[link]](https://i.redd.it/p6ctxrdk0b8h1.gif){kind=link}
from hacking: security in practice https://ift.tt/J5gV1P0
Comments
Post a Comment