PoisonedSkills: Exploiting Implicit Trust in LLM Coding Agent Skill Ecosystems

LLM-based coding agents (Claude Code, OpenHands, Codex, Gemini CLI) extend their capabilities through third-party "agent skills" distributed via open marketplaces with no mandatory security review. Unlike traditional packages, skill files are operational directives that agents parse and act upon with system-level privileges — a contaminated skill is sufficient to compromise the host.