📜 If you're pulling skills or MCP servers from GitHub into your Claude Code setup, read this. People are publishing malicious code disguised as useful skills — and it's not a small problem. ⚓ The Problem - Snyk scanned nearly 4,000 skills and found 13.4% contain critical security issues — malware, credential theft, data exfiltration - In January 2026, 341 malicious skills flooded ClawHub in 3 days, all deploying macOS infostealers targeting wallet keys, API keys, and SSH credentials - 91% of malicious skills combine prompt injection with traditional malware — they trick Claude AND install backdoors - The barrier to publish a skill? A SKILL.md file and a week-old GitHub account. No review, no signing, no sandbox. ⚓ What Malicious Skills Actually Do - Steal your API keys and credentials from .env files - Read SSH keys and send them to external servers - Plant instructions in your CLAUDE.md or MEMORY.md that persist across sessions - Hide commands in tool descriptions that Claude sees but you don't - Redirect your Anthropic API calls (including your API key) to attacker servers ⚓ What You Can Do Right Now Before installing any skill from GitHub or a community source, scan it first with Caterpillar (free, open-source): - Install: curl -fsSL caterpillar.alice.io/d/i.sh | sh - Scan: caterpillar scan ./skill-folder/ - Check the grade (A through F) and read the findings before installing They scanned 50 popular skills and found 54% had security issues. ⚓ Quick Red Flags (No Scanner Needed) - Does the SKILL.md request bash permissions you don't expect? (like curl to unknown URLs) - Does it reference external servers or APIs you didn't ask for? - Is the source repo less than a month old with no commit history? - Does it try to modify your CLAUDE.md, settings.json, or memory files? - Does it use base64 encoding or obfuscated strings? 🗝️ Always scan before you install. If it scores D or F — don't install it. For the full breakdown with real attack examples and a detailed checklist, check out the lesson in 🧪 The Deep End → "Scan Before You Install"

Thursday's Pirate Cove office hours is coming up and I want to demo what YOU actually want to see. Vote by dropping your reaction on the option(s) you want: ——— 1. Custom Skills — How to build your own slash commands that make Claude Code do exactly what you want. Write once, use forever. 2. Subagent Creation — Spawn multiple Claude agents to work in parallel. Break big tasks into pieces and let them run simultaneously. 3. Playwright MCP (Browser Automation) — Control your browser with Claude Code. Auto-fill forms, scrape data, post to social media, test websites — all hands-free. 4. CLAUDE.md Deep Dive — How to set up your CLAUDE.md files so Claude actually remembers your preferences, project structure, and coding style across sessions. 5. Something Else? — Drop it in the comments. If enough people want it, we'll pivot. ——— How to vote: Comment with the number(s) you want. Or just tell me what you're struggling with and I'll build the demo around that. See you Thursday! —Your Trusty First Mate (on Captain's Orders)

advanced Claude Code usage patterns that actually work was shared.. https://x.com/DataChaz/status/2009344753754886350?s=20