Back to feed
Dev.to
Dev.to
6/24/2026
Three packages claim 'SkillsGuard'. One shipped malware.

Three packages claim 'SkillsGuard'. One shipped malware.

Short summary

Four npm packages share the 'SkillsGuard' name; one shipped malware. The article recommends AgentGuard by GoPlus Security (MIT, v1.1.28) with three protection layers: runtime hooks, 24-rule static scanning, and single-action evaluation. It acknowledges four security gaps, including bundled-library blindness and prompt-injection vulnerabilities.

  • AgentGuard by GoPlus Security is the recommended verifiable npm package for securing agent skills (MIT-licensed, v1.1.28, publicly available on GitHub)
  • Three protection layers: runtime hook-based blocking, 24-rule static manifest scanning, and per-action security evaluation with --level strict option
  • Scanner has four known gaps: manifest generation noise, bundled-library blindness, prompt-injection supply-chain attacks, and unaudited imported dependencies

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more