YOUR CLAUDE.MD IS ATTACK SURFACE. AGENT SKILLS AND MCP CLIENTS ARE WHERE THE NEXT BREACH LIVES.

Snyk scanned 3,984 agent skills: 13.4% had critical security issues, 76 were malicious payloads. A March 2026 arXiv paper tested MCP clients for prompt injection — wildly uneven guardrails across Claude Code, Cursor, Cline, Gemini CLI. Your CLAUDE.md is attack surface.

The two studies

Snyk ToxicSkills — February 2026

Snyk scanned 3,984 agent skills from ClawHub and skills.sh. The results:

• 534 skills (13.4%) had critical security issues.
• 1,467 skills (36.82%) had any security issue at all.
• 76 malicious payloads were confirmed through human-in-the-loop verification.

“Agent skills” is the new “npm package” — pluggable instructions an AI agent loads to extend its behavior. The same trust model that bit us with postinstall hooks is now bitting us with skill manifests.

“Are AI-assisted Development Tools Immune to Prompt Injection?” — arXiv, March 2026

The paper tested a wide set of MCP clients used for coding, including:

• Claude Desktop
• Claude Code
• Cursor
• Cline
• Continue
• Gemini CLI
• Langflow

Conclusion: there is huge variation in how well these tools resist prompt injection. Some have real guardrails. Others are highly susceptible to cross-tool poisoning, hidden parameters, and unauthorized tool calls.

Translation: “use an MCP client” is not a security decision yet. Each vendor is at a different stage of the curve, and nobody is done.

What this means for anyone shipping with AI agents

The trust boundary moved. If you think of your project as “source code + dependencies,” you are not looking at the whole attack surface anymore.

Every one of these is a place where data becomes instructions:

• CLAUDE.md
• .cursor/rules/
• Agent skill manifests you load from a registry
• MCP server configs (local and remote)
• .vscode/tasks.json, devcontainer features, postinstall scripts, GitHub Actions workflows

A poisoned file in any of them can redirect your agent to exfiltrate tokens, open a reverse shell, install a fake dependency, or rewrite a commit to hide an attack.

What to check before your next agent-assisted session

1. Audit your agent-instruction files. Treat CLAUDE.md, .cursor/rules/, skills, and MCP configs as part of the trust boundary — review them the same way you review PRs.
2. Pin skill manifests. If your agent loads skills from a registry, pin versions and diff updates. “Latest” is not a version.
3. Scope MCP servers. If an MCP server can reach the filesystem, the shell, or your cloud credentials, treat it as a privileged process. Run it under minimum privileges.
4. Do not only watch one file. The attack shifts. One week it is .vscode/tasks.json, the next it is a poisoned MCP server, then Cursor rules, then a GitHub workflow. Watch every place where data turns into instructions.
5. Scan what your agent produced, not just what it read. Most exposure from vibe-coded apps lives in the deployed thing — missing RLS, leaked tokens, wide-open buckets. A compromised agent makes that worse, not different.

How VibeEval helps

VibeEval runs autonomous agents against your deployed app — the thing your AI just shipped. It does not care which IDE wrote the code, which skills the agent loaded, or whether your MCP client was prompt-injected last Tuesday. It probes the running product for the failure modes a compromised agent is most likely to leave behind: exposed credentials, missing auth, open storage, leaky redirects.

Treat your agent setup as a supply chain. Then scan the output anyway.

Source: toolarium.ru — ИИ-агенты атакуют разработчиков: как защититься (Russian).