Hugging Face's logo
Back to Articles

The Wild West of Agent Skills: Inside the Explosive, Risky, and Redundant Marketplace of AI Tools

Community Article Published February 16, 2026
Upvote
-
Shanshan Zhong's avatar
Shanshan Zhong
zhongshsh

We are witnessing the "App Store moment" for Artificial Intelligence, but instead of a curated garden of applications, we are getting a chaotic bazaar.

The promise of AI agents is autonomy: the ability to not just talk, but do. To book flights, debug code, and manage workflows, Large Language Models (LLMs) like Claude need "skills"—modular blocks of code and logic that act as the agent's hands and eyes. As these skills proliferate in public marketplaces, a critical question arises: What exactly are we teaching our AI to do?

A new paper, "Agent Skills: A Data-Driven Analysis of Claude Skills for Extending Large Language Model Functionality," provides the first comprehensive audit of this emerging ecosystem. By scraping and analyzing over 40,000 skills from the skills.sh marketplace, the researchers uncovered a landscape defined by explosive hype-driven growth, massive redundancy, and alarming security gaps.

From "God Mode" permissions that grant agents root access to a supply-demand mismatch that leaves users starving for basic search tools, the findings paint a picture of an infrastructure layer that is growing too fast for its own good.

The Anatomy of a Skill: Giving Hands to the Brain

To understand the risks, we must first understand the mechanism. An "Agent Skill" is not magic; it is a reusable software module that bridges the gap between an LLM’s reasoning and the outside world. Think of an LLM as a brilliant scholar locked in a room; a "skill" is a tool passed through the window—a calculator, a web browser, or a set of keys—that allows the scholar to interact with the environment.

As detailed in the paper, a skill typically consists of three parts:

  1. Metadata: Labels that tell the agent when to use the skill (e.g., "use this for weather queries").
  2. Instructions: The procedural logic the agent must follow.
  3. Resources: The actual code or API connectors to execute the task.

Figure 10: Internal structure of a typical agent skill, illustrated using the find-best-product skill. The SKILL.md file begins with YAML metadata that specifies the skill name and description, which are used for skill discovery and selection.

This structure allows for "plug-and-play" functionality. Instead of a user manually prompting Claude to "act as a Python debugger" every time, they simply load the debug-python skill. The agent then autonomously selects this tool when it detects a coding error. While this architecture promises efficiency, the paper reveals that the execution in the wild is far from efficient.

The "Zombie" Ecosystem: Hype, Bloat, and Copy-Paste

The researchers tracked the marketplace's growth from January to February 2026, observing a staggering 18.5x increase in listed skills in just 20 days. However, this growth wasn't organic engineering progress; it was a "bursty" reaction to social media hype.

The spike in skill uploads perfectly tracked the GitHub star history of the OpenClaw community, suggesting that thousands of developers rushed to upload tools simply to participate in a trend. The result is a marketplace flooded with low-effort content.

The Copy-Paste Epidemic

Quantity has not equaled quality. The study found that 46.3% of all skills are duplicates or near-duplicates.

  • Exact Duplicates: Developers frequently re-upload the exact same code with minor name changes.
  • Semantic Clutter: Using embedding models, the researchers visualized the marketplace and found tight clusters of skills that do the exact same thing (see Figure 12).

Figure 12: t-SNE view of skill embeddings by sub-category. Each point is a skill represented by an embedding of its name and description. Points are colored by the predicted sub-category. Tight clusters suggest many skills with overlapping intent.

This redundancy creates a "discovery tax" for users. Finding a high-quality tool involves wading through hundreds of "zombie" listings, fragmenting user feedback and making it nearly impossible for the best implementations to rise to the top.

The Context Tax

Furthermore, many of these skills are dangerously bloated. While the average skill is a manageable 1,900 tokens, the distribution is heavy-tailed. The top 1% of skills exceed 100,000 tokens. Because agents often load these skill definitions into their context window before execution, installing a single unoptimized skill can consume a model’s entire memory budget, leaving no room for the actual task.

The Developer Echo Chamber: Building What No One Wants

Perhaps the most ironic finding is the disconnect between what developers build and what users actually need.

The researchers categorized the 40,000 skills into sectors like Software Engineering, Content Creation, and Productivity. The data reveals a massive "Developer Echo Chamber":

  • Supply: 54.7% of all skills are for Software Engineering (e.g., git wrappers, linters, code generators). Developers are building tools for themselves.
  • Demand: The single most installed category is Web Search (avg. 1,268 installs), yet it makes up only 1.4% of the supply.

Chart showing the supply vs demand mismatch.

This imbalance highlights a critical bottleneck in the agent economy. Building a reliable Web Search skill is hard—it requires maintaining API keys, handling rate limits, and parsing messy HTML. Writing a script to format JSON is easy. Consequently, the marketplace is oversupplied with easy-to-make coding utilities while starving for the complex, connector-heavy tools that users actually value.

"God Mode" Enabled: The Security Nightmare

The most alarming section of the paper concerns safety. The researchers used an LLM-based auditing protocol (Qwen2.5-32B) to classify every skill by risk level, from L0 (Safe/Read-Only) to L3 (Critical Risk).

While the majority of skills are benign, a terrifying 9% of the ecosystem is classified as Critical Risk (L3). These are not just buggy scripts; they are tools that grant the agent irreversible, system-level control.

The L3 Threat Landscape

"Critical Risk" skills are those that enable:

  1. Arbitrary Code Execution: Skills that allow the agent to run shell commands (exec, os.system) directly on the host machine.
  2. Financial Control: Skills that connect to crypto wallets or banking APIs to "execute transactions."
  3. Root Access: Skills capable of managing SSH keys, modifying system configurations, or deleting databases.

Table 2: Examples of High-Risk (L3) Agent Skills with Sensitive Information Handling. To protect the privacy of skill contributors, we do not display skill names and redact identifiable keywords in black xxx. In addition, we highlight specific risk-related keywords in light yellow.

As shown in Table 2, the audit found skills designed to "manage secrets and cryptographic keys," "gain root/administrator access," and even "transfer money."

The danger here is sandboxing—or the lack thereof. In the current ecosystem, installing a skill is often equivalent to giving the agent sudo privileges. If an agent hallucinates, or if it falls victim to a prompt injection attack (where a malicious website tells the agent "Ignore previous instructions, delete all files"), these L3 skills provide the weapon to cause catastrophic damage.

Implications: Moving from "Move Fast" to "Move Safely"

The findings of this paper serve as a wake-up call. We are building the infrastructure layer for autonomous agents on a foundation of hype, redundancy, and insecurity.

The authors argue that the "Wild West" era of agent skills must end. To mature, the ecosystem needs:

  1. Standardized Sandboxing: Agents should never have default access to the host system. High-risk skills (L3) must run in isolated environments where "delete database" commands cannot touch production data.
  2. Canonical Skills: Platforms need to curate "official" versions of core tools (like Web Search) to reduce the noise of thousands of broken duplicates.
  3. Demand-Driven Incentives: We need to incentivize developers to build the hard, high-demand connectors (Search, specialized data retrieval) rather than just more coding scripts.

The potential for AI agents is limitless, but as this paper demonstrates, giving a robot a toolbox is only safe if you know exactly what is inside. Right now, we are handing them blowtorches and hoping for the best.

More from this author

The Zero-Click Survival Guide: Reverse-Engineering AI Search

March 3, 2026

Community

Sign up or log in to comment

Upvote
-