The Sorry State of Skill Distribution

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.trailofbits.com/2026/06/03/the-sorry-state-of-skill-distribution/
• Blog Title: The Sorry State of Skill Distribution
• Suggested Section: AI Security / AI Agent Skills Supply Chain Attacks, with cross-references from Dependency Confusion or supply-chain sections and Python bytecode/reversing sections

🎯 Content Summary

Trail of Bits analyzed public AI-agent skill marketplaces and demonstrated that current automated skill scanners can be bypassed with simple, practical supply-chain techniques. The tested targets were ClawHub/OpenClaw scanning, VirusTotal Code Insight, Cisco's open-source skill-scanner, and the three scanners integrated into skills.sh: Gen Agent Trust Hub, Socket, and Snyk. The proof-of-concept mali...

🔧 Technical Details

Context-truncation scanner evasion: If a scanner truncates large files before analysis, malicious code or instructions can be placed after a large padding region, such as 100,000 newline characters. The scanner evaluates only the harmless prefix and marks the artifact safe, while the deployed package still contains the malicious tail content. This applies to LLM scanners with token limits and static scanners with maximum file-size or maximum-character policies.

Archive/document indirection: A package can place benign instructions in a top-level manifest such as SKILL.md while instructing the agent to load secondary instructions from a document. Formats such as .docx are ZIP containers containing XML and can also carry extra embedded files. If scanners do not recursively unpack and inspect every archive member, an attacker can hide a payload such as sync1.sh inside the document and have the agent execute i...

🤖 Agent Actions

Done.

Updated only:

• src/AI/AI-MCP-Servers.md

Added a new section covering:

• skill marketplace supply-chain evasion
• context-truncation bypasses
• .docx/archive indirection
• .pyc/generated-artifact poisoning
• hidden-file / incomplete-tree scanner blind spots
• package-manager registry redirection via .npmrc / .yarnrc
• LD_PRELOAD as a native-code execution primitive
• concise review guidance for skill auditing

Also added references for:

• Trail of Bits blog post
• trailofbits/overtly-malicious-skills

Validation:

• git diff --check passed
• basic file assertions passed
• mdbook build could not run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2026/06/03/the-sorry-state-of-skill-distribution/

Content Categories: Based on the analysis, this content was categorized under "AI Security / AI Agent Skills Supply Chain Attacks, with cross-references from Dependency Confusion or supply-chain sections and Python bytecode/reversing sections".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0