971a297db3
- Add threat-db.yaml v2.0.0 with 63 malicious skills, 22 CVEs, 4 campaigns - Add /security-check, /security-audit, /update-threat-db slash commands - Add Snyk ToxicSkills evaluation (58th resource evaluation) - Fix cheatsheet: add Alt+T to keyboard shortcuts table, add /fast and /debug commands - Update Features Meconnues table with Agent Teams and Auto-Memories - Clean up cheatsheet.md.bak - Bump version to 3.26.0 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
3.5 KiB
3.5 KiB
Resource Evaluation: Snyk ToxicSkills — Malicious AI Agent Skills Audit
| Field | Value |
|---|---|
| Resource | Snyk ToxicSkills Blog |
| Type | Security research + open-source tool |
| Published | 2026-02-05 |
| Relayed by | Victor Langlois (LinkedIn) |
| Score | 4/5 (High Value) |
| Action | Integrated — enriched security-hardening.md (CVE, stats, new section §1.5) |
Summary
Snyk scanned 3,984 AI agent skills across ClawHub and skills.sh marketplaces, finding:
- 36.82% (1,467 skills) contain security flaws
- 534 skills flagged critical (malware, prompt injection, exposed secrets)
- 76 malicious payloads identified (credential theft, backdoors, data exfiltration — 8 still active on ClawHub at publication)
- 10.9% of ClawHub skills contain hardcoded secrets
- 2.9% fetch and execute remote content dynamically
- mcp-scan: open-source tool achieving 90-100% recall on confirmed malicious skills, 0% false positives on top-100 legitimate skills
Gap Analysis
| Topic | Before (guide) | After |
|---|---|---|
| Supply chain stats | 8-14% (SafeDep) | 36.82% (Snyk, 3,984 skills corpus) |
| Audit tools | skills-ref validate | + mcp-scan (Snyk) |
| Attack categories | Generic (injection, exfil, privesc) | 8 detailed policies (hardcoded secrets, remote prompt exec, malicious downloads) |
| .claude/ attack vector | 1-line mention (line 199) | Full section §1.5 with checklist |
| Malicious hooks/commands | Not covered | Documented with audit checklist |
| Recent CVEs | 5 CVEs (2025) | + CVE-2026-24052, CVE-2025-66032 |
Fact-Check
| Claim | Verified | Source |
|---|---|---|
| 3,984 skills scanned | Yes | Snyk blog |
| 36.82% with flaws (1,467/3,984) | Yes | Snyk blog |
| 534 critical | Yes | Snyk blog (13.4% of total) |
| 76 malicious payloads | Yes | Snyk blog (8 still active on ClawHub) |
| mcp-scan 90-100% recall | Yes | Snyk blog (0% FP on top-100 legit) |
| "91% combine injection + code" | Not verified | LinkedIn post stat, not in Snyk blog. Excluded from integration. |
| CVE-2026-24052 (SSRF Claude Code) | Yes | SentinelOne vulnerability database |
| CVE-2025-66032 (8 bypasses) | Yes | Flatt Security research |
Score Justification
4/5 (High Value) — not 5/5 because:
- The guide already covers ~70% of the scope (security-hardening.md §1.1-1.4)
- This is an enrichment (updated stats, new tool, new section), not a gap-from-scratch
- Snyk stats are more recent and larger corpus than existing SafeDep data
- mcp-scan fills a concrete tooling gap
- The .claude/ attack surface section addresses a real blind spot
Integration Plan
- §1.1 CVE Summary: +2 CVEs (CVE-2026-24052, CVE-2025-66032)
- §1.2 Supply Chain: Replace SafeDep stats with Snyk (larger corpus), add mcp-scan
- MCP Safe List: Add mcp-scan entry
- New §1.5: Malicious Extensions (.claude/ Attack Surface) with audit checklist
- reference.yaml: Add entries for new sections
References
- Snyk ToxicSkills: snyk.io/blog/toxicskills
- mcp-scan: github.com/snyk/mcp-scan
- CVE-2026-24052: SentinelOne
- CVE-2025-66032: Flatt Security
- SafeDep (previous source): safedep.io/agent-skills-threat-model