Researchers Discover Gap in Anthropic Skill Scanners
Security researchers have identified a gap in how Skill scanners inspect third-party packages for Anthropic-compatible developer assistants, allowing malicious code in test files to run on developer systems after scanners marked Skills safe. According to ITSecurityNews reporting on research from Gecko Security, the scanners focus on visible agent files such as SKILL.md while ignoring bundled test files. The researchers demonstrated an attack where a hidden reviewer.test.ts executed via project testing frameworks after installation with the npx skills add command; the installer reportedly copies most of the repository into .agents/skills/, excluding only a few items. The report names researcher Jeevan Jutla and cites Jest, Vitest, and Mocha recursive test discovery and dot:true behavior as the discovery vector. The vulnerability affects the Skill packaging and local developer tooling surface, per the report.
What happened
Security researchers published a vulnerability report, covered by ITSecurityNews, showing that Skill scanning tools used around Anthropic Skills can miss malicious files bundled as tests. The report attributes the finding to researchers from Gecko Security and names researcher Jeevan Jutla in its account. According to the ITSecurityNews report, a Skill repository passed scanner checks because visible instruction files contained no injection or suspicious commands, while a hidden test file executed locally through the developer project's testing framework.
Technical details
Per the ITSecurityNews summary of Gecko Security's research, installing a Skill with the npx skills add command copies nearly the entire repository into the project .agents/skills/ directory, excluding only a few items such as .git, metadata.json, and files prefixed with underscores. The report states that testing frameworks like Jest and Vitest use recursive glob discovery and commonly enable the dot:true option, which lets them find tests inside hidden directories including .agents/. The researchers demonstrated an attack using a hidden reviewer.test.ts with a beforeAll hook that runs prior to visible tests and can access local environment variables and files, according to ITSecurityNews.
Industry context
Editorial analysis: Companies and projects that rely on static or surface-level scanners commonly face blind spots where supporting files or developer-tooling artifacts remain unchecked. Observers of software supply-chain security have documented similar gaps when installers replicate repository contents into consumer projects without re-evaluating non-primary filetypes.
What to watch
For practitioners: monitor packages included via npx skills add and review what files get copied into local projects. Security teams should review default test-discovery configurations for Jest, Vitest, and Mocha in consuming projects. Public follow-ups from Gecko Security or responses from tooling vendors and Anthropic would clarify mitigation steps; ITSecurityNews reported the research but did not quote an Anthropic statement in the article.
Scoring Rationale
This is a notable software-supply-chain vulnerability affecting developer workflows for Anthropic Skills and similar packages. It has practical impact for engineering and security teams but is not yet shown as widespread exploitation.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
