Hash scanning catches reused malicious binaries. It cannot detect adversarial natural language in the skill description. That surface remains uncovered.
What to Do Before Installing Any Skill
- Read the full
SKILL.md. Check what OAuth scopes it requests. Verify each scope is necessary for the stated task. Not just plausible: actually required.
- Run a static check on the SKILL.md body for injection patterns and scope justification. The free auditor at vesselofone.com/tools/skill-check covers this. Paste a slug or repo URL.
- Test with non-sensitive data before connecting production credentials or real client files.
- Set a review reminder for six months. Skill authors can update SKILL.md without notifying installers.
Four Predictions (2026-2028)
Per-skill runtime correctness monitoring becomes a commercial product. Static analysis catches code risk but cannot evaluate whether a skill produces correct output at runtime. That monitoring layer does not exist yet as a product.
Another named supply-chain incident affects more than 100 skills. ClawHavoc established the playbook. Hash scanning did not close the attack vector. The adversarial NL surface in SKILL.md bodies is still fully open.
Enterprise procurement begins requiring security attestations for skills used in business workflows. Legal and financial teams running agents on client data will not accept installability as a quality standard.
Registries add evaluation requirements for marketplace inclusion. Pure installability metrics will not survive the first major enterprise procurement cycle.
Full methodology and dataset: vesselofone.com/research/ai-agent-skills-ecosystem. Dataset at doi.org/10.5281/zenodo.19691714. Scan scripts at github.com/vesselofone/openclaw-skills under MIT + CC BY 4.0.
Vessel is managed OpenClaw hosting on private Linux VMs. Every agent we provision runs the skill auditor at setup. The research and dataset are open source.