GitHub shipped gh skill in public preview on April 16, 2026, giving developers a single command to install, pin, search, and publish agent skills across every major AI coding host. The same week, security researchers proved that the broader skills ecosystem is already systematically compromised. Those two facts belong in the same sentence.
What gh skill Actually Does
GitHub CLI v2.90.0 introduces five subcommands: install, preview, search, update, and publish (Release GitHub CLI 2.90.0 · cli/cli). The command resolves the host-directory problem automatically: depending on which agent is active, it places skills in .github/skills, .claude/skills, .agents/skills, or the user home-directory equivalents (Manage agent skills with GitHub CLI, GitHub Changelog).
At launch, supported hosts include GitHub Copilot, Claude Code, Cursor, Codex, Gemini CLI, and Antigravity, with broader adoption underway (Manage agent skills with GitHub CLI, GitHub Changelog). [Updated June 2026] Google announced at I/O 2026 (May 19) that Gemini CLI is transitioning to Antigravity CLI — consumer and free-tier users lose Gemini CLI access on June 18, 2026. The gh skill host targeting flag already lists antigravity as a discrete target alongside the legacy gemini alias, so installed skills should remain portable across the rename, though per-host validation is still advisable during the transition period. Skills are filesystem-based, not API-based: any agent that can read a directory structure and parse Markdown can consume one (About agent skills, GitHub Docs). That design choice is both the feature and the vulnerability.
The Open Agent Skills Spec: Portability and Its Limits
The Agent Skills specification’s promise is that a skill written once runs on any compliant host. That claim is architecturally correct: the filesystem-plus-Markdown model is genuinely host-neutral (About agent skills, GitHub Docs). In practice, host-specific context-loading differences and behavioral variations mean skills still need per-host validation before you rely on them in production. “Runs everywhere” understates the work.
The upside is real nonetheless. Skills live at the project level or user home level, which means they travel with the repo, get committed to version control, and remain auditable in the same way as any other dotfile (About agent skills, GitHub Docs).
Version Pinning: What SHA Tracking Does and Doesn’t Protect
The --pin flag locks a skill to a specific tag or commit SHA. Pinned skills are skipped during gh skill update --all (Manage agent skills with GitHub CLI, GitHub Changelog). Git tree SHAs are embedded in SKILL.md frontmatter as provenance metadata, so the tooling can detect real content changes rather than version label bumps (Manage agent skills with GitHub CLI, GitHub Changelog).
This is a meaningful improvement over unversioned installs. However, SHA-based tracking does not prevent a threat actor from publishing a clean skill, accumulating downloads, and later replacing content via a force-push to the same tag. Tag immutability is opt-in on most Git hosts, not guaranteed. The provenance system catches drift after the fact; it does not prevent a malicious initial payload.
Supply Chain Reality: The ToxicSkills Numbers
Snyk’s ToxicSkills study, published in April 2026, scanned 3,984 skills from ClawHub and skills.sh (ToxicSkills: Snyk Finds Prompt Injection in 36%, 1,467 Malicious Payloads in Agent Skills Supply Chain Study). The findings:
- 36.82% (1,467 skills) carry security issues of any severity (ToxicSkills: Snyk Finds Prompt Injection in 36%, 1,467 Malicious Payloads in Agent Skills Supply Chain Study)
- 13.4% (534 skills) contain at least one critical-level flaw (ToxicSkills: Snyk Finds Prompt Injection in 36%, 1,467 Malicious Payloads in Agent Skills Supply Chain Study)
- 91% of confirmed malicious skills combine prompt injection with traditional malware techniques (ToxicSkills: Snyk Finds Prompt Injection in 36%, 1,467 Malicious Payloads in Agent Skills Supply Chain Study)
- 76 confirmed malicious payloads identified through manual review (ToxicSkills: Snyk Finds Prompt Injection in 36%, 1,467 Malicious Payloads in Agent Skills Supply Chain Study)
- 10.9% of ClawHub skills contain hardcoded secrets (ToxicSkills: Snyk Finds Prompt Injection in 36%, 1,467 Malicious Payloads in Agent Skills Supply Chain Study)
One important scope note: the ToxicSkills study covers ClawHub and skills.sh, not GitHub’s own skill registry. Conflating the two inflates the risk number specifically for the gh skill surface. The broader threat class is real; the specific denominator matters.
Attack categories identified in the wild include password-protected ZIP archives with obfuscated install scripts, base64-encoded commands that exfiltrate AWS credentials, and instructions that disable agent safety mechanisms (ToxicSkills: Snyk Finds Prompt Injection in 36%, 1,467 Malicious Payloads in Agent Skills Supply Chain Study).
The Silent Exfiltration Vector
Mitiga demonstrated a concrete attack path using a trojanized skill (AI Agent Supply Chain Risk: Silent Codebase Exfiltration via Skills (Mitiga)). The sequence: the agent silently copies the entire local codebase, adds a remote pointing to an attacker-controlled server, and pushes all contents. The attack requires only four user interactions and leaves audit logs empty (AI Agent Supply Chain Risk: Silent Codebase Exfiltration via Skills (Mitiga)).
This attack class is notable because it operates entirely within behaviors that look like normal agent activity. There is no obvious error, no permission dialog, no anomalous process. The skill instructs the agent; the agent executes file system and git operations it is expected to perform.
Filesystem-based skills have no sandbox boundary between the skill’s instructions and the agent’s full operating environment. That is the same property that makes them portable across hosts.
Practical Hygiene
Given the above, the minimum viable approach to using gh skill:
- Run
gh skill previewbefore every install. Read the output in full. This is the only inspection step before the skill has filesystem access (Manage agent skills with GitHub CLI, GitHub Changelog). - Pin everything with
--pinto a commit SHA, not a mutable tag. A SHA is harder to silently replace (Manage agent skills with GitHub CLI, GitHub Changelog). - Prefer skills from sources you can audit: organization-owned repos where you can inspect the commit history are lower risk than anonymous registry entries.
- Audit installed skills regularly. Tools like mcp-scan can surface prompt injection patterns in installed skill files.
- Treat skills like dependencies, not configuration. They execute with the same authority as your agent session.
Ecosystem Scale and Detection Tools
Since gh skill shipped, the underlying registries have grown faster than the tooling intended to audit them. ClawHub — the primary third-party skill registry underpinning many gh skill search results — crossed 13,000 published skills by early 2026, up from a standing start in late 2025. Daily submission rates briefly exceeded 500 per day in February 2026, roughly 10× the mid-January baseline. That growth rate is structurally incompatible with manual review.
Two automated detection approaches have emerged. Snyk’s ToxicSkills tooling applies static pattern matching against known payload signatures. A newer academic framework, SkillSieve, applies hierarchical triage and achieves an F1 of 0.800 on a 400-skill labeled benchmark at roughly $0.006 per skill — compared to 0.421 F1 for comparable baseline methods — evaluated against a 49,592-skill ClawHub snapshot from April 2026. Neither approach is yet integrated into gh skill natively; both require a separate scan step before or after installation.
The practical implication: the --preview step GitHub recommends assumes the reviewer can reliably identify obfuscated base64 commands, synthetic reputation inflation, and multi-stage payload delivery in raw Markdown. SkillSieve’s benchmark shows automated tools substantially outperform human triage on that task. Running skills through a dedicated scanner before installation is more reliable than eyeballing preview output.
GitHub CLI v2.92.0 (April 28, 2026) also extended gh skill subcommands to GitHub Enterprise Cloud hosts with data residency support, making the tooling available to organizations that previously could not use it under data-sovereignty requirements.
The trust-boundary question has received formal academic treatment as well. A formal trust schema for agent skill registries proposes a four-level verification model and a biconditional correctness criterion — and concludes that current SKILL.md-based registries including ClawHub cannot satisfy enterprise audit requirements without cryptographic signing at publish time. The same structural weakness that makes skills portable (plain Markdown, no enforcement layer) makes them unverifiable at scale.
FAQ
Does gh skill have any built-in malware scanning?
No. GitHub does not verify skills before they appear in registries accessible via gh skill search. The preview subcommand shows you the skill content before installation, but interpretation is left to the developer (Manage agent skills with GitHub CLI, GitHub Changelog). [Updated June 2026] GitHub CLI v2.92.0 (released April 28, 2026) added a --allow-hidden-dirs flag to gh skill preview, enabling inspection of skills installed in dot-prefixed directories like .claude/skills/ and .github/skills/ that were previously excluded from preview output.
If I pin to a SHA, am I protected from supply chain attacks?
Partially. A SHA pin prevents silent updates after installation. It does not protect you if the skill was already malicious at the SHA you pinned, and it does not prevent a threat actor from convincing you to install a new SHA that contains a payload. The Mitiga attack path requires only that the skill be installed once (AI Agent Supply Chain Risk: Silent Codebase Exfiltration via Skills (Mitiga)).
Does the open Agent Skills spec include a sandboxing or capability model?
No. The specification is filesystem-based and relies on the host agent’s existing permission model (About agent skills, GitHub Docs). Skills can instruct an agent to perform any action that agent can perform. There is no skill-level capability boundary defined in the spec as currently published.