npm v12 and pnpm can't stop 341 malicious AI skills

npm v12 blocks install scripts by default and pnpm ships with an automatic 1-day release-age cooldown [DevTo]. However, these measures do not protect AI skill marketplaces that bypass the package manager entirely. The ClawHub breach exposed 341 malicious skills, which were caught by skill-firewall, a two-stage scanner that runs static signature checks and then uses Claude 2-coded LLM analysis for uncertain cases [DevTo]. In internal testing, the tool flagged 11.9% of newly submitted skills as malicious. The scanner also catches symlink-trap payloads that would otherwise execute after a skill is installed, a class of attack npm’s cooldown never sees [DevTo].

The ClawHub breach shows that attackers can ship malicious code directly to agents, sidestepping the npm registry entirely [DevTo]. Combining static signatures with LLM reasoning cuts false positives: when the static stage alone flagged 78% of submissions, the LLM filter reduced the final acceptance rate to under 1% [DevTo]. Warning the AI agent to reject malicious skills led to immediate remediation, whereas user-facing pop-ups were ignored in 63% of cases [DevTo].

A dedicated scanning layer that understands both code signatures and the semantics of LLM-generated code is necessary to keep the ecosystem safe [DevTo]. The supply-chain now spans skill marketplaces, container registries, and model hubs, each with its own attack surface. Relying solely on package-manager defenses is insufficient to protect AI-driven pipelines.