Agent Security Identified as Major Attack Surface with Significant Blind Spots

The post highlights a February 2026 threat landscape report noting over 824 confirmed malicious skills on the ClawHub marketplace and 42,000+ instances with exploitable configurations. It cites 10 CVEs in the year, including the safeBins flag bypass (CVE-2026-28363), and notes the absence of code signing or security reviews for published skills. Attack vectors include prompt injection via skill markdown descriptions, Unicode tag range (U+E0000) invisible injection, cross-skill tool shadowing, and social engineering in prerequisites sections.