SKILL.md Is the New package.json — Treat Your Skill Library Like the Supply Chain It Is

Your agent just installed a skill from a marketplace. Did anyone read it first?
A skill is a folder — a SKILL.md and, usually, some scripts it's allowed to run. It can read your files, call your tools, and reach the network, with your agent's permissions, not a sandbox's. It is, in every way that matters, unsigned executable third-party code. And most teams install it the way they'd star a repo: on vibes.
We spent fifteen years learning not to
curl | basha stranger's script — then handed our agents a marketplace and forgot the lesson.
We've seen this movie. It was called npm.
The supply chain you didn't know you had
package.json was never really a list of libraries. It was a list of people you decided to trust — most of whom you never met, whose code you never read, running with your build's privileges. We eventually grew up about it: signing, provenance, lockfiles, scanners, a whole decade of supply-chain hygiene.
SKILL.md is that same trust decision, made faster and with less ceremony. Each skill you add is a new dependency that ships behavior, not just data.
A skill isn't content. It's code with your agent's hands.
This isn't hypothetical anymore. OWASP just published the Agentic Skills Top 10 — the first real security framework for the skill layer. And the empirical work behind it isn't comforting: a study of tens of thousands of public skills found roughly a third carry security flaws, with malicious payloads confirmed live in the wild. The attack categories rhyme with everything we already know — prompt injection, data exfiltration, privilege escalation, supply-chain pull-through — just wearing a new file extension.
Why this is worse than the npm problem
npm at least had a head start: registries that sign, tools that scan, lockfiles that pin. The skill ecosystem has almost none of that yet. You're back in 2014, installing trust by reputation.
But the blast radius is the part that should keep you up. A malicious npm package runs at build time, in CI, against a checkout. A malicious skill runs at decision time — in production, holding your agent's live credentials, choosing what to do next with your data.
The dependency that scared you ran at build time. This one runs at decision time.
Same supply chain. Higher stakes, fewer guardrails.
What we do — and what you can take
We build and stamp our own skills into one canonical toolkit, and we treat that toolkit like the supply chain it is. Four practices, none of them exotic:
- Provenance. Skills come from one source we control and can audit — not ad-hoc installs from wherever. If you can't say where a skill came from, you don't own it; it owns you.
- Least-privilege scopes. A skill gets the narrowest capability it needs, never the agent's full hand. Most skills don't need the network. Most don't need write access. Make them prove it.
- Payload scanning.
SKILL.mdand its scripts are dependencies — scan them before they run, the same way you'd scan any package. - Immutable manifests. Pin what's installed and diff it. A skill library you can't diff is a skill library you can't trust.
Map it onto the ROBOT framework and it's the same questions you'd ask of any agent: what is this skill allowed to be (Role), what are its Boundaries, and can you see what it actually did (Observability).
You don't have to out-engineer the attacker. You have to know what's in your own toolbox.
The three questions
A supply-chain program, stripped down, answers three things: what's installed, where did it come from, and what can it do. Ask them about your agent's skills right now. If you can't answer all three, you don't have a skill library — you have an attack surface with good intentions.
The agents are already running the skills. The only real choice is whether you're governing that, or hoping.
Related Posts
Finding Bugs Got Cheap — Trusting the Fix Is the New Hard Part
Anthropic just open-sourced its AI "defender's loop." The real lesson isn't about C code — it's that the bottleneck moved from finding vulnerabilities to trusting what your agents tell you, and that's a governance problem you own.
Why We Failed Our Agent-Readiness Audit on Purpose
An automated audit gave us nine recommendations for being 'agent-ready.' We shipped three and deliberately failed the other six — because a security firm's agent-readiness is measured by signal honesty, not checkbox coverage.
The AppSec Acceleration: Why Your Security Tools Can't See Agent Vulnerabilities
Traditional SAST, DAST, and SCA tools were built for request-response architectures. Agent-first systems have vulnerability classes these tools were never designed to detect — and independent research just confirmed it.