Anthropic Skill Scanners Passed Every Check. The Malicious Code Rode in on a Test File.

The rapid adoption of Anthropic‑powered AI agents has spawned a new class of reusable components called Skills. Marketplaces such as ClawHub and skills.sh host thousands of these packages, and vendors have responded with scanners that analyze the SKILL.md file and any scripts the agent may invoke. However, the scanners were built around the assumption that execution only occurs inside the agent runtime. Gecko Security’s research uncovered a supply‑chain bypass: test files (e.g., *.test.ts) bundled with a Skill are automatically discovered and executed by popular JavaScript test frameworks like Jest, Vitest, and Mocha, granting the payload unrestricted access to the developer’s environment, including CI secrets and SSH keys.

This oversight mirrors earlier npm supply‑chain attacks where post‑install scripts or malicious plugins executed with elevated trust. The recent SkillScan study of 31,132 Skills found 26% with at least one vulnerability, while Snyk’s ToxicSkills audit flagged 13.4% of 3,984 Skills as critical, including 76 confirmed malicious packages. Yet the three leading Anthropic scanners—Snyk Agent Scan, Cisco’s AI Agent Security Scanner, and VirusTotal Code Insight—continue to ignore the test‑file surface, leaving a large attack vector unmonitored. In CI pipelines, where environment variables often contain deployment tokens and cloud credentials, a rogue test file can silently exfiltrate data before any human review, compressing the patch‑to‑exploit window to minutes.

Mitigating this risk requires a shift from intent‑only scanning to execution‑surface hardening. Simple configuration changes—adding the .agents/ directory to Jest’s testPathIgnorePatterns or Vitest’s exclude list—prevent test runners from traversing installed Skill directories. Organizations should also enforce CI checks that reject any *.test.* or conftest.py files inside .agents/skills, and pin Skill installations to immutable commit hashes rather than the latest branch tip. By extending security controls to the developer toolchain and demanding transparency from scanner vendors about covered file sets, enterprises can close the most exploitable gap in the emerging AI agent supply chain.