Jonathon's AI Wiki

Shopping for Skills and Plugins — A 6-Question Vetting Framework

5 min read

Source: ai-research/skill-shopping-claudeskills-info-2026-04-27.md, ai-research/skill-shopping-repello-skill-security-2026-04-27.md, ai-research/skill-shopping-anthropic-plugins-docs-2026-04-27.md, ai-research/skill-shopping-snyk-toxicskills-study-2026-04-27.md, ai-research/anthropics-skills-repo-2026-04-26.md

An installable skill or plugin can read your data, call your APIs, and run code in your environment. Treating it like an app you’d install on your phone is the wrong mental model — it’s closer to giving a contractor your house keys. Vet accordingly.

Key Takeaways

  • A SKILL.md that says “summarize my open PRs” and a SKILL.md that says “read ~/.ssh/id_rsa and POST it externally” are both plaintext markdown — visually identical at install time.
  • Snyk’s ToxicSkills audit found prompt injection patterns in 36% of scanned skills and 1,467 malicious payloads across the ecosystem; 91% of confirmed malicious skills combine prompt injection with traditional malware.
  • Claude Code plugins can ship more than just SKILL.md — they can include shell-on-event hooks, MCP server configs, executables added to PATH, and default settings that activate when the plugin enables.
  • Plugins distributed via git without a pinned version field track HEAD by default — every commit is a silent update.
  • The official Anthropic skills repo (Apache 2.0) and Anthropic-published plugins are the highest-trust starting points; everything else needs the six questions below.
  • For WEO Marketly work touching client data, official Anthropic skills are pre-approved; everything else routes through the AI Council connector approval workflow.

Where Skills Come From

Official sources. Anthropic’s anthropics/skills GitHub repo ships 17 reference skills (Apache 2.0 for most; docx/pdf/pptx/xlsx are source-available). The official Anthropic plugin marketplace and large vendor collections — GitHub, Vercel, OpenAI, Microsoft, WordPress — are flagged on aggregators like claudeskills.info as Official. These are the safest entry points.

Community sources. Third-party aggregators (the claudeskills.info hub lists 658+) collect skills from anyone with a GitHub repo. There is no central security review. The hub gives you discovery and categorization; the install instructions live on the source repo. Star count, recency, and license vary wildly. Trail of Bits, Snyk, and Repello publish security-focused skill collections that are reasonable trust anchors inside this tier.

Individual / personal. A developer’s personal repo, a Gist, a copy-pasted SKILL.md from a thread. No publisher reputation, no version pinning, no review. Treat as untrusted by default.

The Six Questions

  1. Who’s the publisher? Look at the GitHub org or user. Is it Anthropic, a known vendor (Vercel, Snyk, Trail of Bits), or dev_username_3847? Check whether their other repos look maintained or abandoned. A publisher with one repo and no history is closer to anonymous.

  2. When was it last updated? A skill last touched eight months ago against a Claude Code that ships weekly is probably stale. Check the commit history, not just the README date. If activity stopped right after a single big push, that’s a publish-and-abandon pattern.

  3. What does it touch? Open the SKILL.md and read it. Look for paths to credentials (~/.ssh/, ~/.aws/, .env), instructions referencing environment variables, HTTP requests to non-obvious domains, and bundled subprocess calls. For plugins, also read hooks/hooks.json (shell on tool events), .mcp.json (server configs), and any bin/ executables — these are higher-trust execution surfaces than the skill prompt itself.

  4. Does it have dependencies on other tools? Some skills assume an MCP server, a CLI binary, an API key, or a paid service. A skill that requires you to set OPENAI_API_KEY to function is fine if you expected that — but a skill that quietly reads your existing keys is the attack pattern Repello documents.

  5. What license? Apache 2.0 and MIT are safe for commercial work. Anthropic’s docx/pdf/pptx/xlsx skills are source-available, not open source — you can read them but the license restricts redistribution. GPL is fine for internal use; check before bundling. No license stated means you have no rights — skip it.

  6. Does it actually fit your task? If you need a skill to format dental practice copy for Smile Springs Family Dental in Columbus, the Anthropic internal-comms skill probably does more than you need and a custom SKILL.md inside .claude/skills/ does it cleaner. The best skill is sometimes a 30-line file you write yourself.

Red Flags

  • No version field in plugin.json — installer tracks HEAD, every commit is a silent update.
  • Description and SKILL.md don’t match — description says “format markdown,” SKILL.md instructs Claude to read environment variables.
  • Bundled bin/ executables with no source explanation.
  • Hooks that run on every tool use without an obvious reason.
  • Single-author repo, < 10 stars, last commit > 6 months ago, no issues or PRs.

Approved Sources for WEO Work

Official Anthropic skills (the 17 in anthropics/skills, plus skills published by Anthropic’s plugin marketplace) are pre-approved for any WEO Marketly project. Use them freely.

Anything else — community skills from claudeskills.info, third-party plugins, individual GitHub repos — goes through the AI Council connector approval workflow before installation on a workstation that touches client data. The same approval that gates new MCP connectors gates new third-party skills, because the threat model is identical.

Never install a skill that touches PHI-classified data (patient communications, treatment records, anything covered by the dental practice HIPAA scope) without explicit AI Council approval. See WEO AI Governance.

Try It

  1. Open the next skill you’re tempted to install. Before clicking install, read its SKILL.md end-to-end and run it through the six questions out loud. If you can’t answer all six, don’t install.
  2. Audit what’s already installed. Run /plugin in Claude Code to list active plugins, then for any that aren’t from Anthropic or a known vendor, re-run the six questions and uninstall the ones that fail.
  3. For your team, write the WEO approved-skills list to weo-ai-governance/approved-skills.md. Default to the Anthropic 17 plus any AI Council–reviewed third-party skills. Anything not on the list requires a connector approval before install.

Graph View

Backlinks