Your Skill Scanner Is Blind to the Real Attack Surface

The Blind Spot Every Scanner Missed

Anthropic Skills security vulnerability has a new attack vector—and every major scanner is blind to it. The malicious code doesn’t hide in SKILL.md or attempt prompt injection. It rides in on a test file, executes during npm test, and walks away with your SSH keys, cloud credentials, and deployment tokens. Your scanner passes the skill with a green light. The damage is already done.

What scanners actually check

Current Anthropic Skill scanners—Snyk Agent Scan, Cisco’s AI Agent Security Scanner, and VirusTotal Code Insight—analyze a narrow execution surface. They inspect the SKILL.md markdown instructions, scan for prompt injection patterns, and detect shell commands the agent is instructed to run. These tools work exactly as designed. They catch the threats that live in the agent interaction layer.

What they do not do is look beyond that layer to the developer toolchain sitting in the same directory. The scanners assume the threat lives in instructions meant for the agent. They are solving the wrong threat model.

Why test files execute with full permissions

Here is the critical misunderstanding: test files don’t run through the Anthropic agent at all. They execute through Jest, Vitest, or Mocha—the same test runner you use every day. When you run npx skills add owner/repo-name, the installer copies the entire skill directory into .agents/skills/<skill-name>/. That directory is designed to be committed and shared across your team.

Your test framework doesn’t know this directory is special. Jest and Vitest both pass dot: true to their glob engines by default, meaning they discover test files inside dot-prefixed directories like .agents/. The test runner treats them as first-class tests. They execute with full filesystem access, environment variable visibility, and—during CI—every secret your pipeline can reach.

No scanner inspects these files because no scanner was built to treat the developer execution surface as a threat vector. That is the blind spot.

Stop Adding Skills Without Auditing Test Files

If you added a Skill this week,stop. Audit the test files before your next npm test. The attack does not require the agent to run. It does not require any user interaction. The payload fires the moment your test runner discovers the file.

How the attack executes

Gecko Security researcher Jeevan Jutla demonstrated the attack flow in detail. An attacker publishes a Skill with a clean SKILL.md—one that passes every scanner check. Bundled inside is a file like tests/reviewer.test.ts containing a beforeAll hook. When you run npm test, Jest discovers this file through recursive glob patterns. The beforeAll block executes during test setup—before any assertions run.

The hook reads process.env, scans for .env files, exfiltrates ~/.ssh/ private keys and ~/.aws/ credentials, and posts everything to an external endpoint. The test cases look legitimate. The exfiltration happens silently. Nothing in the test output flags anything unusual.

What credentials are exposed in CI

In continuous integration, process.env contains everything your pipeline knows. Deployment tokens, cloud API keys, OAuth credentials, database connection strings, registry authentication—every secret your CI configuration touches becomes accessible to any test file discovered during the run. The attack doesn’t need agent privileges. It already has developer privileges through the test runner.

The Skill vector is particularly dangerous because the malicious directory propagates to every teammate who clones the repository. It sits in .agents/skills/, which GitHub’s default .gitignore templates do not exclude. Every developer who runs tests executes the payload. So does every CI pipeline on every branch and every fork that inherits the test suite.

Add These Exclusions Before Your Next npm test

You need to exclude skill directories from test discovery. Do this now, before your next test run. The configuration changes are specific and immediate.

Jest and Vitest configuration

For Jest, add this to your jest.config.js:

modulePaths: ['<rootDir>/.agents', '<rootDir>/.claude', '<rootDir>/.cursor']

For Vitest, add this to vitest.config.ts under the test section:

exclude: ['**/node_modules/**', '**/dist/**', '**/.agents/**', '**/.claude/**', '**/.cursor/**']

Both configurations prevent test runners from discovering files inside skill directories. This blocks the attack vector at the toolchain layer. Your skills will still function—the agent reads SKILL.md normally. Only the test discovery path is closed.

Python repos: conftest.py risk

If you work with Python Skills, the exposure follows the same pattern through conftest.py. Pytest auto-executes conftest.py files during test collection. An attacker bundling a malicious conftest.py achieves identical code execution.

Add .agents to your testpaths exclusion in pyproject.toml:

[tool.pytest.ini_options]
testpaths = ["tests"]
python_files = "test_*.py"
pythonpath = "."

The critical addition: explicitly configure pytest to ignore .agents/ by setting --ignore=.agents in your test command or CI configuration. This prevents pytest from auto-discovering and executing any conftest.py files bundled inside skill directories.

Demand Scanner Updates or Build Your Own Check

The structural blind spot will not fix itself. The three major scanners all operate on the same assumption—that the threat lives in the skill instructions meant for the agent. That assumption is now provably incomplete.

What the next generation of scanners needs

Scanner vendors need to expand their threat model beyond the agent execution surface. The next generation of tools must scan test files—*.test.ts, *.spec.ts, conftest.py—as part of the default execution surface. They need to detect beforeAll and beforeEach hooks that access process.env, filesystem APIs, or network calls. They need to flag skills that bundle test files at all.

Demand this capability from your vendors. If your security tooling does not inspect test execution surfaces, file a bug report. Treat it as a vulnerability.

Your interim defense checklist

Until scanners update, protect yourself with these immediate steps:

• Audit every skill before adding it. Review any *.test.ts, *.spec.ts, or conftest.py file in the skill directory. If you didn’t expect a test file, don’t add the skill.
• Exclude skill directories from test discovery. Apply the Jest/Vitest exclusions above before your next test run.
• Block .agents/ in your CI pipeline. Add --ignore=.agents to your test commands in CI configuration.
• Review your .gitignore. Ensure .agents/, .claude/, and .cursor/ are excluded if you do not intentionally commit skills.
• Rotate CI credentials now. If you have added untrusted skills in the past 30 days, treat your CI environment variables as compromised. Rotate every token, key, and credential accessible to your pipeline.

The attack vector is real, documented, and actively exploitable. Eight malicious skills remain available on ClawHub as of the Snyk audit. Your scanners passed every check. Your next test run might not.