/ aiJuly 18, 20266 min read

Agent skills run with your permissions. Nobody's checking them.

We ran 32 of the most-starred agent skills through a security scanner. Popularity told us almost nothing about safety — and there's no trust layer for any of it. Here's what we found, and why it's a category waiting to happen.

The fastest-growing corner of open source right now isn't apps. It's skills — the little packs of instructions you drop into Claude Code, Cursor, or Codex to make a generic agent behave like a specialist. They're topping the GitHub trending charts every week, and teams are installing them by the handful.

Here's the part nobody's talking about: a skill is instructions that run with your agent's permissions. Your files, your shell, your credentials, your deploy keys. Installing a skill is closer to curl | sh than to reading a blog post — and the entire ecosystem is discovered by exactly one signal. Star count.

So we asked a simple question: does that signal mean anything?

We built a scanner and pointed it at the trending shelf

We pulled the 32 most-starred agent-skill repositories and ran each through a validation pass — scanning the actual skill files for remote-execution, credential and secret access, and destructive commands, then folding in freshness and provenance to produce a single trust score. Then we compared that score against raw star rank.

The two barely agreed.

  • Only one of the five most-starred skills stayed in the top five once we scored for trust. The rest of the "most popular" shelf reshuffled completely.
  • Three of the 32 carried critical patterns — pipe-to-shell execution or data being sent to an external endpoint. Two of those had well over 15,000 stars each. Popularity was actively hiding them.
  • Roughly a third touched secrets, environment variables, or destructive shell commands.

Read that back. The thing every developer uses to decide which skill to trust — how many stars it has — is uncorrelated with whether the skill is safe to run. Some of the most-starred packs scored the worst.

The honest caveat (and why it's the whole opportunity)

We're not here to name and shame anyone, and we won't — because a first-pass scanner over-flags on purpose. A security-research skill should read credentials; that's its job. A perfectly legitimate skill that reads an environment variable to do real work trips the same wire. Our scan measures surface area, not confirmed malice.

That's not a weakness in the finding. It's the finding.

Catching risky patterns is easy — a weekend of regex. The hard, valuable problem is turning a flag into a verdict: running the skill in a sandbox, tracing whether a secret it reads actually leaves the machine, weighing provenance and maintenance. That's the layer nobody has built. It's the difference between a smoke alarm that shrieks at toast and one you actually trust.

Why this is a category, not a feature

Every real platform shift grows a trust layer once the surface gets big enough to be worth attacking. Package registries got npm audit and Socket. App stores got review. Browser extensions got permission prompts and store vetting. Agent skills are on the same curve — exploding adoption, real permissions, zero gatekeeping — and right now the check is "it has a lot of stars, probably fine."

That gap is exactly the kind of thing we like to build into: high-value data or actions, guarded by a surface nobody has made trustworthy yet.

What we'd tell you if you're shipping agents today

  1. Treat a skill like a dependency, not a document. It executes with your permissions. Read it — or the shell scripts it ships — before you install it.
  2. Stop using stars as a safety signal. They measure attention, not trust. The two are barely related.
  3. Assume the trust layer is coming. The teams that win the next phase of agent tooling are the ones treating skills as governed infrastructure now, not novelty later.

We built the scanner as a proof of concept. The report behind these numbers — with the specifics — is something we share directly. If you're wrestling with agent governance, come talk to us.