A recent audit by Mobb.ai highlights significant security risks in the growing ecosystem of AI coding agents. Analyzing over 22,000 public skills from registries like GitHub and skills.sh, the study uncovered 140,963 security vulnerabilities, notably that skills execute with the developer’s full permissions, lacking runtime verification. Although 66% of skills showed no issues, 34% contained risky patterns, with alarming findings such as one in six skills enabling remote code execution.
Despite efforts by registries to enhance security through scanning and classification, a persistent gap remains once skills are installed. Mobb recommends improved measures, including client-side enforcement of security and continuous re-scanning. Developers are urged to manually review skill files before installation. The report underscores a critical need for standardized security protocols in the AI skill ecosystem to mitigate potential exploitation that could compromise developers’ sensitive data and systems.
Source link
