Chainguard Agent Skills: a hardened registry for the skills you already install

Snyk scanned 67,000+ skills from public registries like skills.sh and ClawHub. 36% contained at least one security flaw. 1 That's the number sitting behind every npx skills add you've run without a second thought.

Chainguard — the container supply chain security company behind hardened base images — opened its Agent Skills registry to all users on June 17. 1 It gives you 1,000+ community skills from skills.sh, run through a continuous hardening pipeline before you touch them. Each one ships with a HARDENING.md audit log showing exactly what was changed and why.

The problem this solves

Skills are the new third-party dependencies. Most engineers haven't started treating them that way yet.

Public registries reached 350,000+ skills within two months of launch. 1 Dan Lorenc, Chainguard's CEO, described the attack surface directly: "The first few weeks of skill marketplaces going up, attackers found ways to inject malware and exploit malicious configurations in them." 2 A documented example: a popular "web design guidelines" skill with 150,000 weekly downloads and 22,000 GitHub stars contained no actual logic — just a pointer to a remote GitHub URL that fetches the real instructions at runtime. Swap the contents of that URL and every agent running the skill gets compromised instructions. 2 Chainguard inlines the remote dependency, scans it, and pins the result.

The hardening rules target six attack patterns specifically: over-permissioning, obfuscated commands, base64 execution, credential harvesting, untrusted download domains, and external dependency fetching at runtime. 1 3 When a rule fires, the pipeline uses an AI agent to apply a fix, verifies the fix didn't break the skill's function, and commits each change independently. 3

The other part worth noting: this isn't a one-time scan. When the upstream skill on skills.sh changes, or when Chainguard adds a new hardening rule, every affected skill reruns automatically. 1 4

Chainguard hardening pipeline: unvetted skills from the marketplace pass through a robotic processing arm and emerge as hardened, shield-protected agent skills — Chainguard's hardening pipeline — unvetted skills enter on the left, hardened skills exit under the Chainguard shield 2

Install

Prerequisites: chainctl CLI v0.2.282 or later, and a Chainguard Console account (free; no paid plan required). 5

# Browse the public catalog
chainctl skills list --group chainguard --recursive

# Pull a skill locally to inspect HARDENING.md before committing
chainctl skills pull chainguard/github/add-educational-comments .

# Install directly — auto-detects Claude Code, Cursor, Codex, Gemini CLI
chainctl skills install chainguard/github/add-educational-comments

The install command detects every supported agent on your machine and drops the skill into the right directory for each one (e.g. .claude/skills/ for Claude Code). Skills are stored as OCI artifacts at skills.cgr.dev/chainguard. 5 6

Supported agents: Claude Code, Cursor, GitHub Copilot (Codex), Gemini CLI. 1

The official demo walks through the full flow — browse, pull to inspect HARDENING.md, install:

Cargando tarjeta de contenido…

What the catalog looks like

The public catalog currently shows roughly 150+ skills visible on the product page, drawn from a pool of 1,000+. 7 Categories include:

Code review: code-review, security-review, find-bugs, postgresql-code-review
Cloud: 30+ Azure skills, Cloudflare series
Frameworks: vue-*, react-*, nestjs-*
Documentation: doc-coauthoring (from Anthropic), plantuml-ascii
DevOps: deploy-to-vercel

Three skills illustrate how hardening works in practice:

github/add-educational-comments — adds teaching annotations to code files. The raw skills.sh version carried implicit permissions to execute code. Chainguard's HARDENING.md flagged this as a minimal-permissions violation (severity: high) and stripped the execution permission. The skill only needs to read and annotate files. 5

doc-coauthoring (Anthropic) — structured documentation co-authoring. HARDENING.md shows a clean scan — no changes needed, because the upstream source was Anthropic's own well-maintained skill. The audit log still exists; it just records zero issues. 5

postgresql-code-review — community skill from skills.sh. Passes through the full hardening pipeline before reaching you. 7

The Chainguard console shows skills moving through states: unvetted → processing (RECONCILE) → verified 7

For teams that want to run internal skills through the same pipeline, Chainguard launched a private registry alongside the public catalog. Your team pushes skills to skills.cgr.dev/<org>/<name>:<tag>, gets them hardened, and distributes them within the org with SHA pinning for version locking. 8 A "hardening as a service" closed beta is open for teams that want to submit skills built outside skills.sh. 1

Community signal

The registry opened four days ago. Real developer feedback is sparse — no threads on r/ClaudeCode, r/ClaudeAI, or Hacker News yet. 9 The most substantive community comment so far comes from Reddit user averageuser612: Chainguard focusing on hardened skills is a positive signal, but the real trust boundary is metadata standardization — compatible agents, required tools, network/file permissions, known failure modes, rollback notes — not skill volume. 9

There's also a skeptical view worth noting. X user @lasya_142 wrote: "Chainguard is using AI to rewrite and harden agent skills... I am sure letting LLMs refactor security code will go flawlessly, with absolutely zero hallucinated vulnerabilities." 10

Cargando tarjeta de contenido…

The concern is legitimate. An AI-driven hardening pipeline that modifies security-sensitive code introduces its own class of risk: the fixer could theoretically introduce a subtle vulnerability while removing a visible one. Chainguard hasn't published independent security audits of the hardening pipeline itself. Until those exist, the audit trail in HARDENING.md is your primary verification tool — read it before installing any skill you plan to use on production code.

How does this compare to the alternatives? NVIDIA's SkillSpector (Apache 2.0, 2,500 stars) is an open-source security scanner — it flags vulnerabilities but makes no changes. 11 tech-leads-club/agent-skills (4,700 stars) runs a manually curated, security-reviewed registry but doesn't expose an audit trail per skill. 12 Chainguard sits between the two: automated fixes plus a per-skill audit log, at the cost of trusting the AI that did the fixing.

Quick reference

Registry	`skills.cgr.dev/chainguard`
Skill count	1,000+ (from skills.sh)
License	Per-skill (mirrors upstream; mostly MIT)
Install CLI	`chainctl` v0.2.282+
Agents supported	Claude Code, Cursor, GitHub Copilot (Codex), Gemini CLI
Account required	Chainguard Console (free)
Audit trail	`HARDENING.md` per skill
Hardening model	Continuous — reruns on upstream changes
Private registry	Available; hardening-as-a-service in closed beta
Announced	March 17, 2026 (beta) → June 17, 2026 (public)

Install if you're already pulling agent skills from skills.sh and want a supply chain gate between the raw registry and your agent. The install flow takes under two minutes, the audit log is immediately readable, and the pull-before-install pattern gives you a chance to review every change before it runs in your session. Teams using Claude Code or Cursor on production codebases have the most to gain — a compromised skill with access to your codebase and filesystem is a real attack vector, and Chainguard directly addresses it.

Hold if you're using an agent not on the supported list, or if you need skills from registries beyond skills.sh (Chainguard plans to expand to ClawHub and SkillsMP but hasn't yet). 3 The pricing structure also remains somewhat opaque — the public catalog is free with a Console account, but the boundary between free and paid tiers for the private registry and hardening service isn't documented cleanly. Confirm pricing before committing to the private registry for your team. 1

Cover image: Chainguard Agent Skills product interface from chainguard.dev/agent-skills