Is security a skill issue? Five scanners, 3,084 skills, a different verdict 64% of the time · Mastro<br>A Mastro study · June 2026Is security a skill issue?<br>Five scanners, 3,084 skills, a different verdict 64% of the time.<br>They can't agree on what “safe” even means, but they'll still show you a green check.<br>63.9%<br>of skills got a different verdict from at least two scanners
14.2%<br>had one scanner call it CRITICAL while another called it SAFE
Two security scanners read the same skill. Same file, same line: to draw you an architecture diagram, it ships your AWS config to an outside API. One scanner wrote that down word for word and stamped it SAFE . The other read the same line and stamped it CRITICAL . Hold that thought, because there are 437 more where that came from. First, why I went looking.<br>This morning my AI read my latest blood panel and flagged two numbers worth asking my doctor about. Genuinely useful. The skill that did it was written by someone I've never heard of, and I ran it without reading a line. Reckless, or just human? The answer is yes. But be honest about the last time you ran npx skills add or pulled in a package with four hundred transitive dependencies. Maybe you skimmed the top-level code. Nobody audits the whole tree. At some point we all stop reading and start deciding who to trust.<br>And that trust is the whole magic of agent skills. The ones that change what you're capable of are the ones you didn't write: a stranger's hard-won domain expertise packed into a file your AI just executes. A trainer's programming, a tax pro's playbook, a doctor's read on your labs. The ceiling on what AI can do for me isn't the model anymore. It's how many strangers' skills I'm willing to point at my files, my credentials, my actual life. And there's the catch: a skill is just a markdown file, but it's a markdown file my agent will go off and obey, usually with scripts it can run and every tool I've handed it. It can read my disk. It can phone home. The distance between “does my taxes” and “mails my keys to a stranger” is a few sentences I'll never read closely. So every install is a small act of faith, and faith doesn't scale.<br>We already know what happens when it doesn't hold. Earlier this year OpenClaw's skill marketplace got gutted. A researcher proved the download counter could be faked and pushed a dummy skill to #1; in eight hours, sixteen developers in seven countries installed it and ran his code.[1] His payload was a harmless ping. The criminals working the same hole were not so kind, flooding the catalogue with skills that quietly lifted SSH keys, cloud credentials, and crypto wallets.[2] At peak infection, per OWASP, five of the seven most-downloaded skills were malware. [3] Snyk found one in eight skills carried a critical issue;[4] Bitdefender clocked the malicious rate one week in February near 17%.[5]<br>So the ecosystem did the reasonable thing. It put up a guard. Paste a skill, a panel of name-brand scanners looks it over, and a verdict comes back: a reassuring green check, a risk score, a badge that says you're fine. Install with confidence. That checkmark is the thing standing between me and using AI the way it's actually supposed to work, and it is the part of this story I trusted most.<br>It is also the part that's lying to you. I pulled the verdicts for 3,084 skills, five scanners each, to see if the badge meant anything. It doesn't. The scanners can't agree on what “safe” even is, and the green check papers over a fight they're losing.
Five tools, three different questions<br>Before you can really say the scanners disagree, you have to notice they were never looking at the same thing in the first place. “Is this skill safe” isn't one question. It's at least three, and each of these tools is quietly answering a different one.
Snyk<br>Repo<br>LLM judges + static rulesReads the code and the prose, flags injection, secrets, and suspicious downloads.<br>How it works<br>Socket<br>Site<br>Supply-chain static + AIScans every file a skill references with its package-security engines, then counts alerts.<br>How it works<br>Gen Agent Trust Hub<br>Site<br>Narrative LLM analysisWrites a paragraph of reasoning about the skill, then assigns a severity from Safe to Critical.<br>How it works<br>Runlayer<br>Site<br>Runtime gatewayA runtime gateway that watches behavior, with a pre-release scan. The panel’s most trigger-happy.<br>How it works<br>ZeroLeaks<br>Repo<br>Dynamic red-teamerDoesn’t read the skill at all. Attacks a running model and returns a 0–100 security score.<br>How it works
Read those again and the disagreement kind of starts to feel inevitable. A supply-chain scanner asks does the code do something bad? A prompt-injection judge asks does the prose try to hijack the agent? A runtime red-teamer asks can I break the model that runs this? None of them is wrong, exactly. They're answering different questions and then stamping all of it with the same word: safe.<br>(These five are what skills.sh actually shows you; Cisco and NVIDIA's SkillSpector exist too,...