Context Matters: Repository-Aware Security Analysis of the Agent Skill Ecosystem

Florian Holzbauer; David Schmidt; Gabriel K. Gegenhuber; Sebastian Schrittwieser; Johanna Ullrich

Context Matters: Repository-Aware Security Analysis of the Agent Skill Ecosystem

Florian Holzbauer, David Schmidt, Gabriel K. Gegenhuber, Sebastian Schrittwieser, Johanna Ullrich

Published: 15 May 2026, Last Modified: 24 May 2026AgentSkills 2026 OralEveryoneRevisionsBibTeXCC BY 4.0

Keywords: Security, Privacy, Agent Skills, Skill Classification

TL;DR: We provide the first large-scale, repository-aware security analysis of AI agent skills, showing how skills are distributed, how scanners classify them, and how repository context changes the ecosystem-wide risk assessment.

Abstract: Agent skills extend local AI agents, such as Claude Code and OpenClaw, with additional functionality. Their growing popularity has led to dedicated marketplaces resembling mobile app stores, as well as automated scanners that assess whether skills are benign or malicious. However, scanner reports from individual marketplaces classify up to 46.8\% of skills as malicious, raising concerns about false positives. We present the largest empirical security analysis of the AI agent skill ecosystem to date. We collect 238,180 unique skills from three major distribution platforms and GitHub, and analyze their contents, behavior, and repository context. Unlike existing scanner-based assessments, which evaluate skills largely in isolation, our repository-aware analysis checks whether a flagged skill is consistent with its surrounding GitHub project. This context substantially reduces the number of suspicious skills: only 0.52\% remain suspicious after repository-aware analysis. Our results show that existing scanners can substantially overestimate maliciousness when repository context is ignored. At the same time, we identify previously undocumented real-world attack vectors, including the hijacking of skills hosted in abandoned GitHub repositories. Overall, our findings provide a more robust view of the agent-skill ecosystem's current risk surface and highlight the need for context-aware security evaluation.

Presentation Mode: Yes, at least one author will attend and present in person.

Email Sharing: We authorize the sharing of all author emails with Program Chairs.

Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.

Submission Number: 96

Loading