Supply Chain Attack
Compromise through malicious or hallucinated dependencies referenced in skill files.
Supply chain attacks in the context of skill files involve two main vectors: hallucinated package references and dynamic package loading. Hallucinated packages are npm or pip dependencies that do not exist in public registries—they may be typos, invented names, or placeholders that could be registered later by attackers. Dynamic loading fetches packages at runtime from URLs or custom registries, bypassing normal review.
When a skill file instructs the AI to install packages, those references should resolve to real, auditable packages. Fake or dynamically loaded packages can introduce malware, backdoors, or credential stealers into the developer's environment.
skillaudit verifies every npm and pip package reference against public registries (registry.npmjs.org and pypi.org). We also flag dynamic package loading patterns that fetch code from arbitrary URLs. Findings are linked to CWE-494 (Download of Code Without Integrity Check) and MITRE T1195 (Supply Chain Compromise).