Anthropic's Claude Code and OpenAI's Codex inherit whatever their downloadable "skills" can reach on a developer's machine, and a Snyk scan found hidden instructions that hijack the AI in about 36% of them.
The skill marketplace built into Anthropic's Claude Code and OpenAI's Codex has turned both AI coding agents into something their users rarely intended: an open-ended execution channel for code written by strangers.
Both tools are local coding agents. A developer hands one a task in plain English, and the agent reads files, writes code, and runs commands on the user's machine to get the job done. Anthropic added a skills feature to Claude Code in late 2025 and published the format as an open standard. OpenAI's Codex adopted the same approach, and a sharing economy grew up around it. Skills are prewritten instruction bundles that tell the agent how to do a particular job, and they frequently originate on GitHub or in social posts from developers the user has never met.
The design is that a skill inherits whatever the agent can do. That includes reading files, writing files, running shell commands, and reaching the saved passwords, keys, and access tokens that sit on most developer machines. A skill pulled from a stranger's GitHub page is, in plain terms, code from someone the user does not know, about to run on the user's computer.
The Snyk study "ToxicSkills" scanned the agent skill supply chain and found prompt injection in roughly 36% of scanned skills with 1,467 malicious payloads flagged in the same sample. The arXiv preprint "Malicious Agent Skills in the Wild" supplies a broader empirical base for that prevalence, though it remains a preprint, which means its figures should be read as research-stage rather than peer-reviewed.
The cloud security firm Mitiga documented two concrete paths. In "Breaking Skills Part 1", the researchers built a skill that looked like an ordinary testing helper. Hidden inside were instructions telling the agent to copy the user's entire codebase and push it to an attacker-controlled account. Activity logs stayed empty. The on-screen summary looked like normal output. In "Breaking Skills Part 2", the same mechanism turned a Claude Code skill into a Slack compromise that made organization-wide phishing practical from inside the developer's authenticated session.
Help Net Security reported in June 2026 that one low-skilled attacker used Claude and Codex to breach 14 companies in offensive cyber operations. The reporting leans on a single external researcher's account, which is worth flagging before quoting the figure as ambient fact. Taken with the Snyk scan and the Mitiga demos, it is the first public indication that an attacker without traditional offensive depth has reached the same end result at scale. Rankiteo's July 2026 writeup and Cybersecurity News's coverage of scanner-evasion techniques add a second-order finding: malicious skills increasingly ship with the tricks needed to slip past an agent's safety filters, including credential theft, source code exfiltration, and backdoor installation.
The mechanism here is the trust assumption baked into every skill install. The agent treats a skill as trusted instructions from the operator. From the agent's perspective, there is no structural difference between a skill a security team vetted and a skill pulled from a stranger's repo five minutes earlier. That is the same kind of trust assumption the npm and PyPI ecosystems have spent a decade learning to defend, and neither Anthropic nor OpenAI has shipped a comparable supply-chain security model for skills.
For security teams, the practical question is small and concrete. Pull a list of every skill installed on every Claude Code and Codex instance the engineering organization runs. Ask who wrote each one, when it was last reviewed, and what permissions it currently holds. The Snyk figure is a probability statement about the supply chain. The Mitiga demos are proof that an honest-looking skill can quietly copy a codebase. The 14-company campaign is the first public indication that an attacker without traditional offensive depth has reached the same end at scale. None of those artifacts prove any particular skill on any particular laptop is hostile. They do suggest that the skill list itself needs to be audited the same way teams already audit installed dependencies or browser extensions.