7.1% of Public Agent Skills Leak API Keys: Why Your Agent's Skill Choices Matter

There are over 66,000 publicly listed agent skills right now. Nobody is reviewing them. I pulled a random sample to test something. 7.1% of the SKILL.md files I checked had embedded API keys, hardcoded credentials, or tool call patterns that would send data to unverified endpoints. Not obfuscated. Plain text. In files that agents are expected to download and execute autonomously. This isn't a minor QA issue. It's a structural problem with how public skill distribution works today. What Actually Leaks Agent skills are behavioral protocols — text files that tell agents how to act. The format is loose by design. A SKILL.md file might specify: Which API endpoints to call (and with what headers) How to handle authentication What tools to invoke How to format outputs for downstream systems When there's no review loop, maintainers accidentally ship real credentials. Sometimes it's a developer who copy-pasted from their .env while drafting the protocol. Sometimes it's a service account key tha

7.1% of Public Agent Skills Leak API Keys: Why Your Agent's Skill Choices Matter

Related Articles

Most People Quit Programming Right Before This Happens

Why Skill-Based Learning is Quietly Becoming the Real Standard of Education

Context: a vital pattern nobody talks about

Clean Code Won’t Save You in Production

The Skills That Make Great Developers Stand Out

Related Articles

How-To
Most People Quit Programming Right Before This Happens
Medium Programming • 1h ago

How-To
Why Skill-Based Learning is Quietly Becoming the Real Standard of Education
Medium Programming • 1h ago

How-To
Context: a vital pattern nobody talks about
Medium Programming • 1h ago

How-To
Clean Code Won’t Save You in Production
Medium Programming • 1h ago

How-To
The Skills That Make Great Developers Stand Out
Medium Programming • 2h ago