Development Approach

Scanned Agent Skills vs Unvetted Skills (2026): Should You Vet Before You Install?

Scanning AI agent skills before install vs installing unvetted skills in 2026. Compare supply-chain risk, detection coverage, friction and compliance — with real Snyk, Mondoo and NVIDIA SkillSpector data.

4
Scanned Agent Skills
vs
3
Unvetted Agent Skills
Quick Verdict

Scanning agent skills before you install them is the clear baseline — the data is not subtle. With Snyk finding prompt injection in 36% of audited skills and 1,467 malicious payloads across the supply chain, and Mondoo reporting that more than one in four public skills carry vulnerabilities, treating every third-party skill as untrusted code is simply table stakes in 2026. A scanner like NVIDIA's open-source SkillSpector — which checks 64 vulnerability patterns across 16 categories before installation — catches the obvious supply-chain traps that an unvetted install walks straight into. But don't mistake a clean scan for safety: Trail of Bits has already bypassed a public registry's malicious-skill detector, so scanning is necessary, not sufficient. The approach Context Studios takes, and the one we'd recommend, is layered: scan every skill before install, run it under least-privilege sandboxing, review its provenance and requested permissions, and never let an agent install skills autonomously. Skipping the scan only makes sense for skills you wrote yourself or that come from a source you fully control. For anything pulled from a public registry, scan first, sandbox always, and trust nothing by default.

Detailed Comparison

A side-by-side analysis of key factors to help you make the right choice.

Factor
Scanned Agent SkillsRecommended
Unvetted Agent SkillsWinner
Supply-chain risk reduction
Catches malicious payloads, trojans and hidden prompt injection before the skill ever runs in your environment
Inherits whatever the registry missed — known campaigns have planted hundreds of malicious skills that passed casual curation
Setup speed & friction
Adds a scan step (seconds to minutes per skill) plus a review of flagged findings before install
Install instantly with one command — zero friction, which is exactly why most people skip the checks
Malicious-pattern detection coverage
Tooling like SkillSpector checks 64 vulnerability patterns across 16 categories: prompt injection, credential theft, suspicious downloads, overbroad permissions
No systematic detection — relies entirely on a human noticing something off in the SKILL.md or code
Protection against novel / zero-day skills
Strong on known patterns, but researchers have shown scanners can be bypassed by sufficiently obfuscated payloads
Catches nothing proactively — but a careful manual reviewer can occasionally spot a brand-new trick a scanner has no signature for
Credential & secret-theft prevention
Flags skills that read environment variables, exfiltrate tokens or reach for credentials they don't need
Credential-stealing skills run with your agent's full access on first invocation, before you notice anything
Access to newest skills & ecosystem velocity
Scanning lags a registry adding 500+ skills a day; the very newest skills may not be scanned or signed yet
Immediate access to anything published the moment it lands, no waiting on vetting pipelines
Operational overhead & cost
Requires running a scanner in your install flow or CI, maintaining its rules and triaging findings
No extra tooling, infrastructure or process to maintain — until an incident forces one
Compliance & audit trail
Produces a record of what was scanned, what was flagged and what was approved — useful for SOC 2 and client audits
No artifact proving due diligence; in a regulated or client environment that gap is a liability
Total Score4/ 83/ 81 ties
Supply-chain risk reduction
Scanned Agent Skills
Catches malicious payloads, trojans and hidden prompt injection before the skill ever runs in your environment
Unvetted Agent Skills
Inherits whatever the registry missed — known campaigns have planted hundreds of malicious skills that passed casual curation
Setup speed & friction
Scanned Agent Skills
Adds a scan step (seconds to minutes per skill) plus a review of flagged findings before install
Unvetted Agent Skills
Install instantly with one command — zero friction, which is exactly why most people skip the checks
Malicious-pattern detection coverage
Scanned Agent Skills
Tooling like SkillSpector checks 64 vulnerability patterns across 16 categories: prompt injection, credential theft, suspicious downloads, overbroad permissions
Unvetted Agent Skills
No systematic detection — relies entirely on a human noticing something off in the SKILL.md or code
Protection against novel / zero-day skills
Scanned Agent Skills
Strong on known patterns, but researchers have shown scanners can be bypassed by sufficiently obfuscated payloads
Unvetted Agent Skills
Catches nothing proactively — but a careful manual reviewer can occasionally spot a brand-new trick a scanner has no signature for
Credential & secret-theft prevention
Scanned Agent Skills
Flags skills that read environment variables, exfiltrate tokens or reach for credentials they don't need
Unvetted Agent Skills
Credential-stealing skills run with your agent's full access on first invocation, before you notice anything
Access to newest skills & ecosystem velocity
Scanned Agent Skills
Scanning lags a registry adding 500+ skills a day; the very newest skills may not be scanned or signed yet
Unvetted Agent Skills
Immediate access to anything published the moment it lands, no waiting on vetting pipelines
Operational overhead & cost
Scanned Agent Skills
Requires running a scanner in your install flow or CI, maintaining its rules and triaging findings
Unvetted Agent Skills
No extra tooling, infrastructure or process to maintain — until an incident forces one
Compliance & audit trail
Scanned Agent Skills
Produces a record of what was scanned, what was flagged and what was approved — useful for SOC 2 and client audits
Unvetted Agent Skills
No artifact proving due diligence; in a regulated or client environment that gap is a liability

Key Statistics

Real data from verified industry sources to support your decision.

Snyk's ToxicSkills study — billed as the first comprehensive security audit of the agent-skills supply chain — found prompt injection in 36% of audited skills and 1,467 malicious payloads across the ecosystem

Snyk ToxicSkills study

Mondoo's research found that more than one in four (over 25%) publicly available AI agent skills contain security vulnerabilities

Mondoo

NVIDIA SkillSpector is an open-source (Apache-2.0) security scanner that checks AI agent skills before installation for prompt injection, credential theft, supply-chain risk and malicious code, detecting 64 vulnerability patterns across 16 categories

NVIDIA SkillSpector / AI Native Landscape

The ClawHavoc campaign planted 341 malicious skills on a public agent-skill registry, distributing the Atomic macOS Stealer and bypassing curation using week-old GitHub accounts

Termdock (ClawHub incident postmortem)

CVE-2025-53773 showed that hidden prompt injection in pull-request descriptions enabled remote code execution via GitHub Copilot, carrying a critical CVSS score of 9.6

Cycode

Trail of Bits researchers bypassed a public registry's malicious-skill detector, warning teams not to outsource trust to a scanner alone — evidence that scanning is necessary but not sufficient

Trail of Bits

All statistics come from verified third-party sources. Source, year, and direct link are shown on each metric.

When to Choose Each Option

Clear guidance based on your specific situation and needs.

Choose Scanned Agent Skills when...

  • You install skills from public registries where you don't control the authors
  • Your agents handle credentials, customer data or anything connected to real money
  • You operate in a regulated or client environment that requires an audit trail
  • You run multi-agent or autonomous workflows where one bad skill can spread fast

Choose Unvetted Agent Skills when...

  • The skill is one you wrote yourself or comes from a source you fully control
  • You're prototyping in a throwaway sandbox with no secrets and no network access to anything sensitive
  • You need a brand-new skill the moment it ships and accept the risk consciously
  • You have other strong controls (strict sandboxing, no credential access) that contain a bad skill anyway

Our Recommendation

Scanning agent skills before you install them is the clear baseline — the data is not subtle. With Snyk finding prompt injection in 36% of audited skills and 1,467 malicious payloads across the supply chain, and Mondoo reporting that more than one in four public skills carry vulnerabilities, treating every third-party skill as untrusted code is simply table stakes in 2026. A scanner like NVIDIA's open-source SkillSpector — which checks 64 vulnerability patterns across 16 categories before installation — catches the obvious supply-chain traps that an unvetted install walks straight into. But don't mistake a clean scan for safety: Trail of Bits has already bypassed a public registry's malicious-skill detector, so scanning is necessary, not sufficient. The approach Context Studios takes, and the one we'd recommend, is layered: scan every skill before install, run it under least-privilege sandboxing, review its provenance and requested permissions, and never let an agent install skills autonomously. Skipping the scan only makes sense for skills you wrote yourself or that come from a source you fully control. For anything pulled from a public registry, scan first, sandbox always, and trust nothing by default.

Frequently Asked Questions

Common questions about this comparison answered.

Yes. In 2026, Snyk's ToxicSkills audit found prompt injection in 36% of audited agent skills and 1,467 malicious payloads across the supply chain, while Mondoo reported that more than one in four public skills contain security vulnerabilities. Real campaigns like ClawHavoc planted hundreds of malicious skills on public registries distributing credential-stealing malware. Because a skill can carry hidden instructions, overbroad permissions or executable code that does more than its description admits, treating skills as untrusted third-party code is now standard practice.
SkillSpector is an open-source (Apache-2.0) scanner that inspects an agent skill before you install it. It looks for prompt injection, credential theft, suspicious downloads, overbroad permissions and malicious code, covering 64 vulnerability patterns across 16 categories. The point is to answer a simple question — does this skill do more than its description says? — before the skill ever runs with your agent's access.
Scanning makes you much safer, but it is not a guarantee. Trail of Bits researchers have already bypassed a public registry's malicious-skill detector with obfuscated payloads, which is why a clean scan should be treated as necessary, not sufficient. The robust approach is layered: scan before install, then run skills under least-privilege sandboxing, review provenance and requested permissions, and avoid letting agents install skills autonomously.
Skipping the scan is reasonable for skills you wrote yourself or that come from a source you fully control, or when you're prototyping in a disposable sandbox with no secrets and no sensitive network access. For anything pulled from a public registry — especially when your agent touches credentials, customer data or money — scan first, sandbox always and trust nothing by default.

Need help deciding?

Book a free 30-minute consultation and we'll help you determine the best approach for your specific project.

Free consultation
No obligation
Response within 24h