Introducing Chainguard Agent Skills: Because your AI agent shouldn't trust strangers

Today, we're introducing Chainguard Agent Skills: a continuously maintained catalog of hardened AI agent skills, automatically reviewed, scoped, and published, with a full audit trail, so teams can extend their agents without expanding their attack surface.

AI agent skills have quickly become the newest class of third-party software dependency. Platforms like Claude Code, OpenClaw, and others now support skills for browser automation, database management, code generation, and more. Community registries are growing fast, but they lack guardrails or governance. They have no built-in review process, no permission scoping, no integrity verification, and no audit trail. Skills ship with whatever permissions the author chose, whatever description they wrote, and whatever shell access they wanted.

Developers are installing skills the same way they pulled images from Docker Hub in 2015: trust the name, hope for the best.

That approach has already been exploited. In February 2026, Trend Micro documented a full supply chain attack executed through AI agent skills. Attackers uploaded hundreds of malicious skills to OpenClaw registries, embedding hidden instructions that directed AI agents to download and install a credential-harvesting malware known as the Atomic macOS Stealer. The agent acted as a trusted intermediary, either installing the payload silently or coaching the user through a fake driver installation. Cisco researchers found nine Common Vulnerabilities and Exposures (CVEs), two of them critical, in the number-one-ranked skill on ClawHub, which had thousands of downloads.

Unvetted skill artifacts simultaneously provide considerable value to users while presenting significant risk. As this category of artifact continues to grow, it’s critical that developers have a resource they can trust.

Chainguard's continuous agentic reconciliation loops already harden and maintain container images, virtual machine images, and language libraries. Agent Skills is a natural evolution, applying Chainguard's solution to supply chain security to a new class of software artifact.

Continuous hardening, not one-time scanning

Chainguard acts as a trust layer for users today across open source artifacts like container images, language libraries, and virtual machine images. Much like these trusted artifacts, Agent Skills leverages the Chainguard Factory's AI-native tooling to maintain each skill’s secure-by-default posture, delivering hardened defaults, continuous updates, and verifiable provenance. Agent Skills goes further, applying opinionated rulesets to prevent risky scoping, excessive permissions, and ambiguous prompts and descriptions in each skill. We’re starting with one of the fastest-growing agent skill communities, skills.sh, and plan to expand as user needs continue to grow.

Some of the critical capabilities of Agent Skills include:

• Continuous reconciliation: Agent Skills leverage Chainguard Factory’s self-healing reconciliation agents to run a persistent loop that compares the desired state against the actual state and closes the gap. When upstream sources change, or a new rule is added, every published skill is automatically re-evaluated and re-hardened.

• Agentic hardening with an auditable trail: Each skill is hardened by an automated agent that applies fixes one at a time, committing each change individually. Every published skill links to a pull request with a full diff so security and compliance teams can trace exactly what was changed and why.

• Purpose-built for real attack vectors: The ruleset targets the specific patterns demonstrated in real-world campaigns: unrestricted shell access, overly broad tool permissions, and vague descriptions that enable mis-invocation. These aren’t generic code quality checks; they directly address how attackers exploit the agent-skill trust relationship.

• Zero-friction developer experience: Developers install a hardened skill by copying a single SKILL.md file. No new toolchain, no CI integration, no configuration. The security work happens upstream, before the developer ever touches the skill.

The future of Agent Skills

If we wait until the ecosystem is mature to introduce a hardening layer, we'll be playing catch-up the same way the container ecosystem did with image scanning. The time to establish secure defaults is now, while the patterns are still forming. Agent Skills will evolve in several ways as those patterns form:

• Expanded rulesets: Adding additional rules for external dependency detection, encoded payload detection, secret and credential patterns, network access scoping, and output validation. 

• Additional repo coverage: Expanding coverage beyond skills.sh to ClawHub, SkillsMP, and other registries.

• Hardening-as-a-service for internal skills: Giving customers the ability to point Chainguard Factory’s hardening pipeline at their own proprietary skills and get the same automated review, hardening, and audit trail.

• Policy-as-code enforcement: Enabling custom best-practices configurations that let organizations define and enforce their own skill security policies across all their agents.

How you can get started

Agent Skills is currently in beta and accessible to all users with a Chainguard Console account. Visit the Agent Skills webpage to sign up for the beta today.