Dev.to
6/23/2026

We security-graded 117,854 AI agent skills. Here's what we found.
Short summary
A security audit of 117K AI agent skills found that only 17.7% were popular enough to grade, with 3.1% deemed unsafe. Greatest risk lives in low-starred repos, and new attack surfaces (agent config/memory theft) emerge alongside traditional shell exploits. Rule-based scanning catches 3% of vulnerabilities; semantic analysis suggests the real rate may be 26%.
- •Security audit of 117K agent skills: 17.7% graded, 3.1% unsafe—mostly in unpopular repos
- •New attack surface: agent-native threats like config theft and memory exfiltration
- •Provides CLI tool for checking skills; acknowledges rule-based scanning is conservative lower bound
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



