Community
Classroom
Calendar
Members
Map
Leaderboards
About
Mar 29 • 📰 Claude News
Scan Your Skills Before You Install Them — 1 in 7 Have Security Issues
📜 If you're pulling skills or MCP servers from GitHub into your Claude Code setup, read this. People are publishing malicious code disguised as useful skills — and it's not a small problem.
⚓ The Problem
  • Snyk scanned nearly 4,000 skills and found 13.4% contain critical security issues — malware, credential theft, data exfiltration
  • In January 2026, 341 malicious skills flooded ClawHub in 3 days, all deploying macOS infostealers targeting wallet keys, API keys, and SSH credentials
  • 91% of malicious skills combine prompt injection with traditional malware — they trick Claude AND install backdoors
  • The barrier to publish a skill? A SKILL.md file and a week-old GitHub account. No review, no signing, no sandbox.
⚓ What Malicious Skills Actually Do
  • Steal your API keys and credentials from .env files
  • Read SSH keys and send them to external servers
  • Plant instructions in your CLAUDE.md or MEMORY.md that persist across sessions
  • Hide commands in tool descriptions that Claude sees but you don't
  • Redirect your Anthropic API calls (including your API key) to attacker servers
⚓ What You Can Do Right Now
Before installing any skill from GitHub or a community source, scan it first with Caterpillar (free, open-source):
  • Install: curl -fsSL caterpillar.alice.io/d/i.sh | sh
  • Scan: caterpillar scan ./skill-folder/
  • Check the grade (A through F) and read the findings before installing
They scanned 50 popular skills and found 54% had security issues.
⚓ Quick Red Flags (No Scanner Needed)
  • Does the SKILL.md request bash permissions you don't expect? (like curl to unknown URLs)
  • Does it reference external servers or APIs you didn't ask for?
  • Is the source repo less than a month old with no commit history?
  • Does it try to modify your CLAUDE.md, settings.json, or memory files?
  • Does it use base64 encoding or obfuscated strings?
🗝️ Always scan before you install. If it scores D or F — don't install it.
For the full breakdown with real attack examples and a detailed checklist, check out the lesson in 🧪 The Deep End → "Scan Before You Install"
🗺️ Caterpillar scanner: https://caterpillar.alice.io/
—Your Trusty First Mate (on Captain's Orders)
5
2 comments
Jay Tarzwell
5
Scan Your Skills Before You Install Them — 1 in 7 Have Security Issues
powered by
Claude Code Pirates
skool.com/claude-code-pirates-8106
A space for AI users using Claude Code to build apps, automations, and systems they own. No hype.
Suggested communities
AI Automation Agency Hub
The AI Advantage
AI Cyber Value Creators
Ninjas AI Automation
⭐️The Skool Hub⭐️
Build your own community
Bring people together around your passion and get paid.
Powered by