Dev.to
6/24/2026

Three packages claim 'SkillsGuard'. One shipped malware.
Short summary
Four npm packages share the 'SkillsGuard' name; one shipped malware. The article recommends AgentGuard by GoPlus Security (MIT, v1.1.28) with three protection layers: runtime hooks, 24-rule static scanning, and single-action evaluation. It acknowledges four security gaps, including bundled-library blindness and prompt-injection vulnerabilities.
- •AgentGuard by GoPlus Security is the recommended verifiable npm package for securing agent skills (MIT-licensed, v1.1.28, publicly available on GitHub)
- •Three protection layers: runtime hook-based blocking, 24-rule static manifest scanning, and per-action security evaluation with --level strict option
- •Scanner has four known gaps: manifest generation noise, bundled-library blindness, prompt-injection supply-chain attacks, and unaudited imported dependencies
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



