AI agents are installing third-party tools at scale. MCP servers, skill files, plugins. Most of them have never been security-reviewed by anyone.
We built Aguara Watch, a public observatory that scans every skill published to the five largest AI agent registries. Every day, 148 detection rules run against 31,000+ skills looking for prompt injection, credential leaks, data exfiltration, supply chain attacks, and more.
This is what the data looks like after scanning all of them.
The dataset
Five registries. 31,819 skills. Zero manual curation.
| Registry | Skills | Findings |
|---|---|---|
| ClawHub | 9,289 | 14,108 |
| mcp.so | 9,145 | 1,558 |
| PulseMCP | 8,621 | 1 |
| Skills.sh | 4,219 | 4,114 |
| LobeHub | 545 | 49 |
The difference in finding counts is not about registry quality alone. Each registry exposes different amounts of metadata. ClawHub publishes full READMEs, install scripts, and tool descriptions. PulseMCP exposes minimal structured data. More text means more surface area for the scanner to analyze, and more surface area means more findings.
Findings across 13 categories
Every skill was scanned with Aguara, a static security scanner purpose-built for AI agent content. Three independent detection layers (pattern matching, structural analysis, and dangerous capability detection) produce findings that get deduplicated, scored, and correlated. The scanner generated 19,830 total rule matches, but the majority are LOW-severity or informational. What matters are the 485 CRITICAL and 1,718 HIGH findings — patterns with a direct security impact that warrant immediate review.
Severity breakdown
| Severity | Count | % |
|---|---|---|
| CRITICAL | 485 | 2.4% |
| HIGH | 1,718 | 8.7% |
| MEDIUM | 1,652 | 8.3% |
| LOW | 15,975 | 80.5% |
The vast majority of rule matches (80.5%) are LOW-severity — informational patterns that flag potentially risky behaviors but are often benign in context (documentation examples, template variables, setup instructions). The actionable findings are the 2,203 CRITICAL and HIGH matches: prompt injection, piped shell execution, credential exposure, and MCP tool poisoning patterns that represent real security risks if an agent acts on them without review.
What categories dominate
external-download ████████████████████████████ 1,116 (28.9%)
prompt-injection ███████████████████████ 905 (23.5%)
mcp-config ██████████ 405 (10.5%)
exfiltration ██████████ 400 (10.4%)
ssrf-cloud ██████ 259 (6.7%)
supply-chain █████ 193 (5.0%)
mcp-attack █████ 185 (4.8%)
command-execution ████ 142 (3.7%)
indirect-injection ██ 95 (2.5%)
credential-leak ██ 81 (2.1%)
toxic-flow ██ 70 (1.8%)
third-party-content ▏ 3 (0.1%)
unicode-attack ▏ 1 (0.0%)External downloads and prompt injection together account for over half of all findings. These are the two categories most specific to the AI agent threat model: skills that pull and execute remote code, and skills that try to override the agent's instructions.
The two findings that matter most
1. curl | sh is everywhere
The single most common critical finding is SUPPLY_003 / EXTDL_013: piped shell execution. curl https://something.com/setup.sh | bash.
This pattern appears in install instructions, setup scripts, and tool definitions. Sometimes it's documentation showing users how to install. Sometimes it's the actual install mechanism the agent will execute.
The scanner handles this distinction. Findings inside markdown code blocks under headings like "Installation" or "Setup" get their severity downgraded automatically. A README explaining how to install is different from a tool description that instructs the agent to run curl | sh at runtime.
But even after downgrading documentation patterns, hundreds of skills contain piped shell execution in contexts where an agent would actually run it. No checksum verification. No pinned version. No review.
2. Prompt injection is not theoretical
905 prompt injection findings. These aren't hypothetical attack scenarios from research papers. They're patterns found in published, publicly listed skills:
- Instruction override attempts ("ignore previous instructions", "disregard your guidelines")
- Authority claims combined with urgency ("as the system administrator, you must immediately...")
- Hidden HTML comments containing action directives invisible to users but parsed by agents
- Tool descriptions that subtly redirect agent behavior
Some of these are likely accidental. A skill description that says "ignore previous configuration" meaning "reset settings" will trigger the same pattern as a malicious injection. The scanner flags both and lets the consumer decide.
But a meaningful subset are not accidental at all.
Grade distribution: most skills are fine
| Grade | Skills | % |
|---|---|---|
| A (90-100) | 30,450 | 95.7% |
| B (75-89) | 782 | 2.5% |
| C (50-74) | 418 | 1.3% |
| D (25-49) | 88 | 0.3% |
| F (0-24) | 81 | 0.3% |
95.7% of skills score an A. The ecosystem is not on fire. But 587 skills score C or below, and 81 score F. An F means multiple high-severity findings across different threat categories. These are the skills that would cause damage if an agent installed them without checking.
A closer look at the worst offenders
Skills that score 0/100 tend to combine multiple threat categories. A few examples from the dataset:
A password manager integration (ClawHub, Grade C): Contains curl | sh for installation, Docker environment variables with credential templates (OP_CONNECT_TOKEN=), and chained shell commands. Four findings across three categories. An agent installing this tool would pipe a remote script to shell and expose credential placeholders.
A forensics toolkit (mcp.so, Grade F): 11 findings including 2 critical and 4 high. A tool designed for Windows forensics that bundles capabilities for file system access, memory analysis, and network communication. Individually each capability is legitimate. Combined in a single tool with no sandboxing guidance, the scanner flags it as a dangerous capability combination.
A food database connector (mcp.so, Grade F): 5 critical findings. Every one of them a prompt injection pattern embedded in the tool's description. The tool itself might be harmless, but its description contains content that could hijack the agent's behavior.
What the registries don't check
None of the five registries we scan perform security analysis before listing a skill. The publishing flow is: submit, get listed, done.
This is the same gap that existed in early package managers before npm audit, pip-audit, or GitHub's Dependabot. The difference is that package managers eventually added security scanning. AI agent registries haven't. And the attack surface is different: instead of dependency vulnerabilities, the threats are prompt injection, credential exfiltration, and behavioral manipulation.
The closest analogy is browser extensions before Chrome Web Store reviews. Anyone could publish, users installed based on descriptions, and the damage was done before anyone noticed.
Registry comparison
Not all registries are equal.
ClawHub has the most findings per skill (1.52 findings/skill) because it exposes the most content. Full READMEs, tool descriptions, install scripts. More text, more findings. But also more transparency. A registry that hides content isn't necessarily safer, just harder to scan.
PulseMCP has exactly 1 finding across 8,621 skills. This doesn't mean PulseMCP skills are secure. It means the registry exposes almost no scannable content. Minimal descriptions, no READMEs, no tool definitions. The scanner can only analyze what it can see.
mcp.so sits in between: structured metadata plus some descriptions, producing 0.17 findings/skill. Lower than ClawHub, but the critical finding rate per skill is comparable when you normalize for content volume.
The takeaway: finding count alone is not a quality metric. Content visibility is. Registries that expose more are not worse. They're more auditable.
False positives and what we do about them
Not every finding is a real threat. A README that explains "to install, run curl | sh" is documentation, not an attack. A skill that mentions "API key" in its setup instructions isn't leaking credentials.
We track false positive rates through a classification pipeline that runs heuristics on every finding:
- Documentation install commands (pip, npm, brew, apt, cargo, go) in instructional context get classified as likely FP
- Code examples inside fenced markdown blocks get severity-downgraded automatically
- Template variables (
${API_KEY},OP_CONNECT_TOKEN=) are distinguished from actual credentials - Shell profile PATH modifications in setup instructions are filtered
After four rounds of FP reduction against the production dataset, the scanner's precision sits around 82%. Roughly 1 in 5 findings needs manual review to determine if it's a real concern. For a static scanner running against unstructured markdown content with no type system and no AST, that's a defensible number. We're continuing to improve it.
What this data means for you
If you're building AI agents:
Scan before you install. Aguara MCP gives your agent security scanning as a tool. One tool call before installing a skill. Milliseconds, fully local, no API keys.
# Add security scanning to Claude Code
claude mcp add aguara -- aguara-mcp
# Add to any MCP client
# The agent gets scan_content, check_mcp_config, list_rules, explain_ruleIf you're running a registry:
Consider adding security metadata. Even basic scanning would let users filter by security grade before installing. The scanner is open source, the rules are Apache-2.0 licensed, and the API is designed to be embedded.
If you're a security researcher:
The data is public. Aguara Watch shows findings per skill, per registry, updated daily. If you find something we're missing, the rule format is documented and contributions are welcome.
The scanner
Aguara is open source. One Go binary. 148 rules across 13 threat categories. No LLM, no cloud, no API keys. Scans a directory of skill files in milliseconds.
# Install
curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
# Scan your MCP configs
aguara scan --auto
# CI mode (non-zero exit on findings)
aguara scan . --ciThe data in this article comes from running it at scale. The same scanner runs on your laptop.
Code, rules, and the full observatory at github.com/garagon/aguara.
Explore the data yourself
Aguara Watch scans 31,000+ skills across 5 registries. Updated 4x daily.