26% of Agent Skills Have Vulnerabilities: The Supply Chain Problem
Cisco's security research team analyzed 31,000 agent skills in January 2026.
Their finding: 26% contained at least one security vulnerability.
One in four. The skills your agent loads and trusts implicitly.
What's a "Skill"?
OpenClaw's skill system lets you extend agent capabilities. Community plugins. Folders of code that get loaded as trusted.
No vetting. No code signing. No review process.
You install a skill. It runs with your agent's full permissions. It can read your files, make API calls, execute commands.
The skill repo is a popularity contest. Downloads and stars determine visibility. A researcher proved how dangerous this is.
The Backdoor Experiment
A security researcher uploaded a backdoored skill to a community repo. Gamed the download count. Within hours, dozens of developers had installed it.
His payload was harmless—a proof of concept.
His point wasn't:
"Had I been malicious, those users would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong."
Why 26% Is Actually Conservative
Cisco's research looked for known vulnerability patterns. The actual number is likely higher because:
- Novel attack vectors aren't in the detection rules
- Obfuscated payloads bypass static analysis
- "Vulnerabilities" doesn't include intentional backdoors
The supply chain attack surface is real. npm had this problem. PyPI had this problem. Now agent skills have this problem.
What This Means for Production
Every skill you load is code you didn't write running with your agent's permissions.
Your agent can:
- Read your filesystem
- Access your credentials
- Make network calls
- Execute shell commands
A malicious skill inherits all of that. No sandbox. No isolation. Full access.
The Uncomfortable Question
How many skills are running in your agent right now?
Did you read the source code for each one? Did you audit them for vulnerabilities? Do you re-audit when they update?
Most teams don't. Most teams can't—there's not enough time.
Mitigation Options
Manual: Audit every skill before deployment. Fork repos so updates don't auto-propagate. Review changes before upgrading.
Cost: 10-20 hours per skill, ongoing maintenance.
Automated: Skill scanning before deployment. Sandboxed execution. Integrity checksums. Alerts on modification.
Clawctl's approach: curated skills only, sandboxed execution, modification alerts. Automated scanning is on the near-term roadmap.
The Tradeoff
You can audit manually. Some teams do.
Or you can accept that the skill ecosystem is an attack vector and deploy with guardrails that limit blast radius.
Either way—don't pretend the 26% doesn't apply to you.