Are Claude skills safe in 2026? What the Snyk ToxicSkills audit actually found
A recent audit of Claude Code skills revealed significant security vulnerabilities, with over 13% containing critical issues and 36% exhibiting prompt-injection payloads. These malicious skills can exfiltrate sensitive data like SSH keys or execute harmful commands, often disguised within skill descriptions using invisible characters or base64 encoding. The findings highlight the urgent need for users to carefully vet skills before installation, especially as Anthropic's recent subscription changes may increase scrutiny on skill usage and associated costs. AI
IMPACT Vulnerabilities in AI agent skills necessitate user caution and may influence future development and marketplace curation.