From 80eca740d6800518540d1b9342aba4550ba603ae Mon Sep 17 00:00:00 2001 From: didericis Date: Wed, 24 Jun 2026 09:32:19 -0400 Subject: [PATCH] docs(research): replace unsourced "20% malicious skills" with cited empirical figures The "~20% of ClawHub skills malicious" claim had no traceable source and is contradicted by the empirical literature. Replace with the Jan 2026 large-scale study (98,380-skill snapshot: 157 confirmed malicious, ~71% credential harvesters, exfiltration overwhelmingly naive) and add the arXiv citation. The corrected figures still support the supply-chain threat point and are defensible under scrutiny. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01YcU7nerbg8cVj9R4EkpfLJ --- docs/research/local-vs-remote-agent-execution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/research/local-vs-remote-agent-execution.md b/docs/research/local-vs-remote-agent-execution.md index 72c85d1..be54735 100644 --- a/docs/research/local-vs-remote-agent-execution.md +++ b/docs/research/local-vs-remote-agent-execution.md @@ -22,7 +22,7 @@ escapes**, and **whether credentials are short-lived and scoped**. - Outbound: Docker containers have full internet access by default; no egress monitoring on most home networks - Lateral movement: compromised container can reach the LAN — NAS, other machines, internal services - Notable: CVE-2025-59536 (CVSS 8.7, Feb 2026) — a poisoned `.claude/settings.json` in a repo gives RCE when Claude Code opens it. `--dangerously-skip-permissions` removes the last gate. -- Supply chain: MCP servers, skills, and npm packages pulled during agent execution. ~20% of ClawHub skills were found malicious in early 2026. +- Supply chain: MCP servers, skills, and npm packages pulled during agent execution. A Jan 2026 large-scale empirical study of a 98,380-skill snapshot confirmed 157 malicious skills, ~71% of them credential harvesters. Exfiltration was overwhelmingly naive — plaintext HTTP to hardcoded endpoints; under 10% used any code obfuscation, and concealment was mostly at the documentation level, not the code level. ([Malicious Agent Skills in the Wild](https://arxiv.org/html/2602.06547v1), arXiv:2602.06547) **What local topology protects:** - No inbound attack surface — nothing listening on a public port