skills/find-skills vercel-labs | | The skill insecurely executes unpinned npx packages and forces automatic installations via the -y flag, creating significant risks of supply chain attacks and unauthorized package deployment. | 24.5k | 2.3M | 4 | 70High |
skills/frontend-design anthropics | | The skill lacks transparency due to the absence of code blocks or usage examples, preventing users from verifying its functionality and security posture. | 156.8k | 607.4k | 1 | 15Low |
agent-skills/vercel-react-best-practices vercel-labs | | No security issues detected in vercel-labs/agent-skills/vercel-react-best-practices. | 28.6k | 520.8k | – | 0None |
agent-browser/agent-browser vercel-labs | | This skill facilitates remote code execution via dynamic instruction fetching, exposes sensitive session data through an insecure proxy, and employs keyword stuffing to hijack agent control for unauthorized tasks. | 36.5k | 467.0k | 8 | 70High |
agent-skills/web-design-guidelines vercel-labs | | The skill insecurely fetches and executes remote instructions, enabling unauthorized third parties to dynamically override the agent's behavior and bypass safety controls. | 28.5k | 424.9k | 2 | 70High |
azure-skills/microsoft-foundry microsoft | | The skill uses keyword stuffing for over-triggering, lacks defined tool constraints for sensitive operations, and references missing documentation, suggesting potential runtime execution from unverified external sources. | 1.2k | 422.6k | 7 | 40Medium |
azure-skills/azure-deploy microsoft | | The skill contains multiple broken documentation links to missing external files, creating an opaque execution environment that prevents proper security evaluation of its deployment workflows. | 1.2k | 419.4k | 6 | 15Low |
skills/grill-me mattpocock | | The skill lacks transparency due to missing code examples and licensing information, but it contains no malicious code or security vulnerabilities. | 150.5k | 416.3k | 2 | 15Low |
azure-skills/azure-messaging microsoft | | The skill lacks sufficient documentation and code examples, preventing users from verifying its functionality and assessing potential security risks. | 1.2k | 408.0k | 1 | 15Low |
skills/remotion-best-practices remotion-dev | | The skill uses unpinned dependencies, hides content via CSS, performs unauthorized network and system operations, and relies on missing external documentation, creating significant security and supply chain risks. | 3.9k | 404.8k | 10 | 70High |
azure-skills/azure-ai microsoft | | The skill exhibits potential impersonation risks and relies on missing documentation files, causing silent workflow degradation and preventing transparent evaluation of its functionality. | 1.2k | 402.6k | 7 | 40Medium |
azure-skills/azure-diagnostics microsoft | | The skill contains multiple broken documentation references, indicating incomplete packaging that may cause runtime failures or unexpected behavior when accessing external resources. | 1.2k | 402.2k | 5 | 15Low |
azure-skills/azure-prepare microsoft | | The skill lacks defined tool constraints and relies on missing external documentation, creating an opaque execution environment that prevents proper security auditing and verification of its runtime behavior. | 1.2k | 402.1k | 7 | 15Low |
azure-skills/azure-storage microsoft | | The skill contains multiple broken documentation links, indicating poor maintenance and potential runtime instability due to missing dependency references. | 1.2k | 401.8k | 5 | 15Low |
azure-skills/azure-validate microsoft | | The skill lacks transparency and relies on missing external documentation, creating an opaque execution environment that prevents proper security verification of its runtime behavior. | 1.2k | 401.5k | 4 | 15Low |
azure-skills/entra-app-registration microsoft | | The skill lacks transparency and contains multiple broken documentation references, leading to potential runtime failures or reliance on unverified external content. | 1.2k | 401.4k | 6 | 15Low |
azure-skills/appinsights-instrumentation microsoft | | The skill lacks transparency and contains multiple broken documentation references, leading to silent runtime degradation and an inability for users to verify its intended functionality. | 1.2k | 401.3k | 6 | 15Low |
azure-skills/azure-compliance microsoft | | The skill lacks transparency and references multiple missing documentation files, creating an opaque execution environment where workflows may silently degrade or fetch external content from untrusted sources. | 1.2k | 401.3k | 6 | 15Low |
azure-skills/azure-rbac microsoft | | The skill lacks transparency and verifiable code documentation, preventing users from assessing its security posture or confirming it performs only intended Azure role-based access control operations. | 1.2k | 401.3k | 1 | 15Low |
azure-skills/azure-resource-lookup microsoft | | The skill exhibits a potential supply chain risk by referencing external documentation that is missing from the package, which could lead to unauthorized content injection or runtime execution errors. | 1.2k | 401.3k | 1 | 15Low |
azure-skills/azure-aigateway microsoft | | The skill impersonates a brand, lacks declared tool constraints, performs unauthorized network access, and relies on missing external documentation, creating significant security and transparency risks. | 1.2k | 401.2k | 8 | 40Medium |
azure-skills/azure-kusto microsoft | | No security issues detected in microsoft/azure-skills/azure-kusto. | 1.2k | 401.1k | – | 0None |
azure-skills/azure-resource-visualizer microsoft | | The skill contains broken documentation links and missing assets, leading to silent runtime degradation and a lack of transparency regarding its operational dependencies. | 1.2k | 401.1k | 4 | 15Low |
azure-skills/azure-hosted-copilot-sdk microsoft | | The skill contains broken documentation links to missing reference files, causing silent workflow degradation and preventing users from verifying security and configuration practices. | 1.2k | 391.3k | 6 | 15Low |
azure-skills/azure-compute microsoft | | The skill forces the agent to bypass verified security best practices and relies on missing, externally sourced workflow files, creating significant risks of instruction override and unauthorized code execution. | 1.2k | 362.0k | 6 | 70High |
azure-skills/azure-cloud-migrate microsoft | | The skill lacks transparency and relies on multiple missing documentation files, creating an opaque execution environment where critical workflow logic is sourced from external, unverified locations at runtime. | 1.2k | 352.0k | 6 | 15Low |
skills/remotion-render halt-catch-fire | | The skill enables arbitrary remote code execution by sending user-provided TSX to an external service and uses unpinned npx commands, creating significant risks for code injection and supply-chain attacks. | 584 | 351.6k | 3 | 40Medium |
skills/ai-video-generation halt-catch-fire | | The skill executes unpinned npx packages at runtime, creating a critical supply chain vulnerability that allows for the potential execution of malicious or compromised code. | 584 | 351.4k | 2 | 40Medium |
runcomfy-agent-skills/nano-banana-edit agentspace-so | | The skill executes unpinned and unverified npx packages at runtime, creating a significant supply chain risk by allowing arbitrary, potentially malicious code to run without integrity checks. | 29 | 351.3k | 2 | 40Medium |
skills/ai-image-generation halt-catch-fire | | The skill impersonates a known brand and executes unpinned npx packages at runtime, creating a significant supply chain risk by allowing arbitrary code execution from the latest npm versions. | 584 | 351.3k | 3 | 40Medium |
skills/twitter-automation halt-catch-fire | | The skill executes unpinned packages at runtime and routes sensitive authentication credentials through an untrusted third-party platform, creating significant risks of supply chain compromise and credential exfiltration. | 584 | 351.3k | 3 | 40Medium |
runcomfy-agent-skills/flux-2-klein agentspace-so | | The skill executes unpinned, unverified dependencies and lacks tool constraints, while its image processing functionality introduces risks of indirect prompt injection via adversarial visual payloads. | 29 | 350.2k | 4 | 40Medium |
skills/improve-codebase-architecture mattpocock | | The skill lacks defined tool constraints and mandates opaque, unverified external dependencies, creating an insecure execution chain that prevents proper security auditing and risk assessment. | 150.5k | 342.4k | 5 | 70High |
skills/grill-with-docs mattpocock | | The skill insecurely invokes an external dependency without verifying its origin or permissions, creating a significant risk of supply chain attacks and unauthorized privilege escalation. | 150.5k | 342.1k | 3 | 70High |
runcomfy-agent-skills/image-edit agentspace-so | | The skill lacks defined tool constraints, executes unpinned dependencies, and processes external image URLs, creating significant risks of remote code execution and indirect prompt injection. | 27 | 336.9k | 5 | 40Medium |
runcomfy-agent-skills/nano-banana-2 agentspace-so | | The skill executes unpinned and unverified packages via npx, creating a critical supply chain vulnerability that allows for the arbitrary execution of malicious or compromised code at runtime. | 27 | 336.9k | 2 | 40Medium |
skills/tdd mattpocock | | The skill lacks essential documentation files and a specified license, leading to potential runtime errors and ambiguity regarding usage terms. | 150.5k | 323.3k | 4 | 15Low |
runcomfy-agent-skills/video-edit agentspace-so | | The skill lacks defined tool constraints, executes unpinned and unverified dependencies, and processes external media, creating significant risks for arbitrary code execution and indirect prompt injection attacks. | 27 | 321.2k | 4 | 40Medium |
runcomfy-agent-skills/image-to-video agentspace-so | | The skill executes unpinned, unverified remote packages and performs unrestricted system operations while exposing users to potential adversarial prompt injection through external image processing. | 27 | 320.3k | 4 | 40Medium |
runcomfy-agent-skills/gpt-image-edit agentspace-so | | The skill risks supply chain compromise through unpinned npx execution and exposes the agent to indirect prompt injection by processing unverified image content from external URLs. | 27 | 319.1k | 4 | 40Medium |
runcomfy-agent-skills/seedance-v2 agentspace-so | | The skill executes unverified, unpinned packages via npx, creating a critical supply chain vulnerability that allows for the arbitrary execution of malicious code from the npm registry. | 27 | 317.0k | 2 | 40Medium |
skills/agentspace agentspace-so | | The skill poses a significant security risk by exfiltrating arbitrary local files to a third-party service and executing unverified dependencies, potentially compromising user credentials and system integrity. | 10 | 305.8k | 5 | 70High |
skills/to-prd mattpocock | | The skill forces the execution of an unverified external command that could inject malicious configurations or hooks into the agent's environment, posing a significant security risk. | 150.5k | 303.6k | 3 | 70High |
cli/lark-drive larksuite | | The skill contains multiple broken documentation references that cause silent workflow degradation and fails to specify a required license, indicating poor maintenance and lack of transparency. | 15.0k | 302.6k | 6 | 15Low |
cli/lark-whiteboard larksuite | | The skill executes unverified global dependencies and relies on external, non-packaged configuration files, creating a centralized security risk through insecure, unpinned, and opaque authentication and workflow logic. | 15.0k | 301.5k | 8 | 40Medium |
cli/lark-skill-maker larksuite | | The skill lacks defined tool constraints, allowing unrestricted execution of commands, file operations, and network access, which poses a significant security risk for unauthorized system interaction. | 15.0k | 299.5k | 2 | 15Low |
agent-skills/sleek-design-mobile-apps sleekdotdesign | | The skill introduces supply chain risks by fetching unpinned external assets and insecurely piping API responses directly into local files, enabling potential arbitrary code injection. | 432 | 298.6k | 3 | 15Low |
cli/lark-calendar larksuite | | The skill documentation references multiple missing local files, causing potential runtime instability, and fails to specify a required license for usage. | 15.0k | 296.7k | 6 | 15Low |