Blog
ENPL

Claude Code skills in 2026: what's worth knowing, what to avoid, and why 36% try to rob you

Skills ate slash commands, the plugin marketplace has 1,234 entries, official Anthropic skills are doing design work, and ToxicSkills found prompt injection in over a third of them. Practical ecosystem map: what to install, what to scan, what to delete.

·9 min read
#AI#claude-code#skills#productivity#security
Claude Code skills in 2026: what's worth knowing, what to avoid, and why 36% try to rob you

Look, if you joined Claude Code a year ago and built yourself a few slash commands, today you have a naming problem: those slash commands are now skills. Slash commands as a separate category got folded into skills at the end of 2025. Same markdown file, same triggers, different position in the hierarchy, and suddenly everyone says you have a "skill stack" even though you just have a .claude/commands/ directory.

It's a good moment for inventory. Because skills in 2026 aren't just a label change, they're a separate ecosystem with 1,234+ entries in awesome-claude-skills, an official SkillsMP marketplace, claudemarketplace.com with ratings and install counts, official Anthropic skills, and, naturally, a full spectrum of security threats that didn't exist in slash commands, because slash commands didn't ship with executable scripts under some pretext.

This post is a guide to what's worth knowing. No "top 50 skills that will change your life" list, no marketing, no emoji in headings. Just a map of the terrain.

What actually is a skill (and how it differs from the rest)

The 2026 hierarchy looks like this, and it's confusing even for the people building it:

  • Skill, a SKILL.md file with YAML frontmatter (name, description, optionally tools) and markdown content. Loads progressively: at session start Claude only sees name and description (~100 tokens), opens the full content only when it judges the skill matches the task. This is the unit of instruction.
  • Command, historically a separate thing, today just a skill you invoke explicitly via /name. Slash commands and skills got unified.
  • Agent (subagent), a separate Claude context spawned for a specific task. Has its own tools, its own context window, returns a result. A skill says "how to do something", an agent goes and does it in isolation.
  • Plugin, a distribution container. Packs skills + agents + hooks + MCP servers into one installable bundle. Plugin is the wrapper, skill is the contents.
  • MCP server, different category entirely, I wrote about that separately. A skill gives instructions, MCP gives tools. They often work together.

Practically: if you have a repeatable workflow specific to your work, you write a skill. If you want an external API, you grab a plugin or MCP. If a task needs a long, isolated context (e.g. research), you spawn an agent. These are different tools for different problems and sticking to that distinction saves a lot of pain.

Progressive disclosure — why it's brilliant and why it's also a vulnerability

The mechanic is clever: at session start Claude loads only the skill metadata from frontmatter. The trigger description in YAML is your product ad, Claude reads them all and decides which skill to activate when it matches a user message. Full SKILL.md content (up to 5k tokens), bundled scripts, references, all load-on-demand.

Practical consequence number one: the quality of the description matters more than the quality of the content. A skill with brilliant content but zero triggerability never fires. A skill with mediocre content but a precise description fires at every matching opportunity. Write descriptions like documentation for a bot, not a human.

Practical consequence number two, security: progressive disclosure means you don't know what the skill will load you until you invoke it. Frontmatter you see, markdown content you don't. Scripts bundled with the skill, even less so. This is exactly the trust model attackers love most.

Official Anthropic skills worth having

Anthropic published an official skill set in anthropics/claude-code and some of them are good enough that there's no reason not to have them. After installing via npx skills add anthropics/claude-code --skill <name>:

  • canvas-design, generating visual work (PNG, PDF, posters, mockups) with a design philosophy. This is a skill that actually works, not just renders placeholders. If you ever asked Claude for a "nice render" and got a markdown skeleton, this skill solves the problem.
  • frontend-design, 277k+ installs. Patterns for production UI, aesthetic flavors, tokens, layouts. Called "the skill that eliminates the generic AI look". If you build frontend and want it to not look like default shadcn from a Vercel template gallery, you take it.
  • simplify, refactor and quality bump for recently changed code. Makes a few passes over the fresh diff and removes repetitions, redundant abstractions, excess comments. Sounds trivial but in practice saves reviewers a lot of work.
  • slides, strategic HTML presentations with Chart.js, design tokens, responsive layouts. Not exciting until you have to ship a board deck Wednesday at 2pm.
  • brand, voice, visual identity, messaging frameworks. Good if you run something with multiple touchpoints and want to keep them coherent.

Anthropic also launched in parallel Claude Design (research preview, Pro/Max/Team/Enterprise), a separate product powered by Opus 4.7 for polished mockups, presentations, one-pagers. Different use case from skills, but worth knowing it exists.

Community ecosystem — where to look and what not to touch

Three sources that are today the de facto standard:

  1. travisvn/awesome-claude-skills and ComposioHQ/awesome-claude-skills, curated GitHub-style lists. Have ratings and comments. Most entries make sense, but quality is bimodal: either very good or very mediocre.
  2. claudemarketplace.com, directory with install counts. Good sociological signal ("X thousand people use this") and poor quality signal ("X thousand people use this"). Filter by install count and last update date.
  3. SkillsMP, marketplace with verification. Slower pace, more curation, less garbage.

Specifics worth a look:

  • trailofbits/skills, Claude Code skills for security research, vulnerability detection, audit workflows. Written by people who break systems for a living. Not just for red teamers, these are good skills for sanity-checking your own code.
  • kiro skills (kiro:spec-init, kiro:spec-design, kiro:spec-tasks, kiro:spec-impl), the spec-driven development implementation I wrote about separately. If you work in SDD, these are must-have.
  • ui-ux-pro-max, 50+ styles, 161 palettes, 57 font pairings, 99 UX guidelines. Sounds like packing plushies, but in practice pulls UI out of the generic AI look.
  • dev-browser, browser automation with persistent state. I wrote most of my recent Playwright workflows on it.
  • plugin-dev: family (plugin-structure, command-development, hook-development, agent-development), if you write plugins/skills yourself, this is your manual.

General rule: if a skill has more than 30 files in the bundle, fewer than 100 installs, and the last commit is 4+ months old, no. Three red flags out of three.

Security — and here it gets ugly

Snyk published the ToxicSkills research in March 2026. The numbers are unpleasant:

  • 36% of audited skills contained prompt injection
  • 1,467 malicious payloads identified in the ecosystem
  • ClawHavoc campaign: a family of skills with delayed activation that fired a reverse shell after the Nth invocation
  • Cato Networks reported a campaign with MedusaLocker ransomware weaponized as a skill, SKILL.md instructs Claude to execute a packaged script under a benign pretext

The attack mechanic is trivial: a skill bundles a shell or Python script, SKILL.md says "to enable feature X, run the setup script", Claude executes it, attacker has RCE. The trickiest variants have trigger conditions, the payload only fires after a certain number of uses, or when an environment variable matches, or when the system date is in a specific window. Casual inspection won't catch them.

Repello AI runs SkillCheck, a scanner that issues a verdict (Low/Medium/High/Critical) based on pattern matching. It's not ground truth (some legitimate skills get flagged Critical because of broad tooling scope), but it's a fast filter before installing something unknown.

Practical rules I adopted after reading ToxicSkills:

  1. I read every SKILL.md before installing. I don't sample, I read the whole thing. It's 2 minutes.
  2. I check whether the skill bundles scripts. ls -la on the skill directory. If there are .sh, .py, .js files outside markdown, I open them.
  3. I don't install skills without activity in the last 60 days. An old skill with legitimate code can be hijacked (account compromise, malicious PR merge).
  4. I keep an allowlist of trusted authors. Anthropic, Trail of Bits, Composio, a few known people from the community. New ones have to earn it.
  5. Skills holding credentials/tokens get a separate audit. Any skill that reads .env, ~/.aws/credentials, ~/.ssh/ gets a full review of every file in the bundle.

This isn't paranoia. This is "your .claude/skills/ is 30 directories, each with the right to execute code as you".

Five practical recommendations

  1. Write your own skills instead of searching. 80% of what you do is specific to your context. A skill is 50 lines of markdown. You'll write it in 15 minutes, you'll use it for weeks.
  2. Invest in the description in frontmatter. This is your trigger. "Use when user wants to deploy" loses to "Use when user mentions deploy, ship, release, push to prod, or asks how to update production". Be dense in synonyms.
  3. Keep long references in companion files. SKILL.md should be under 500 lines. Anything heavier goes to references/, examples/, templates/ and loads on-demand.
  4. Version skills in git alongside the project. .claude/skills/ in repo, not in global config. Every contributor gets the same set, plus everyone sees changes in PRs.
  5. Audit skills before installing from the marketplace. SkillCheck verdict, manual SKILL.md read, ls bundle, decide. Don't skip this step even if the skill has 10k installs.

What's next

The skills ecosystem in 2026 is exactly where the npm ecosystem was in 2017: real value, mass of packages, a flourishing attack surface, marketplace mature but still wild west. It's a tool that genuinely changes productivity, and at the same time a category where carelessness costs you data, keys, or your whole environment.

Three moves worth doing now:

  1. Scan your current .claude/skills/ through SkillCheck or manually. Delete anything you don't use.
  2. Install 3-4 official Anthropic skills from the list above and learn their actual triggers (don't trust description, test).
  3. Write one custom skill for something you do more than once a week. Don't read about how to write skills, just write the first one. The second goes faster.

Skills are now the default way of extending Claude. Either you work with them, or you stay on bare bones, which is great, but doesn't know your workflow.

Sources and links: