A million AI skills, and most of them are a pile

Between March and May 2026, the number of public AI skills security researchers were tracking jumped from about 60,000 to nearly 900,000 (ESET AI threat trends report, July 2026). That is not a sign the ecosystem grew up. It is a sign the pile got bigger. If you are hunting for the best Claude Code skills, the hard part is no longer finding one. It is finding one that runs twice, does the job, and did not ship with a surprise inside.
Here is the uncomfortable part. A bigger catalog is not a better catalog. Most of what got added is filler, and some of it is worse than filler. So before you install the next "production ready" skill off a directory you found ten minutes ago, it helps to know what you are sorting through, and how to sort it.
The pile problem: quantity is not quality
Every marketplace wants to brag about its number. Hundreds of thousands of skills. Millions, if you count the ones scraped straight off public repos. The number sounds like abundance. It reads more like a landfill with a search bar.
The catch is that nobody scraping a million skills into an index is testing whether those skills work. They are counting files, not vouching for them. So the headline number tells you how much stuff exists, and tells you nothing about whether any given piece of it will run on your stack, produce something usable, or behave once it does. Volume is the easiest metric to inflate and the least useful one to trust.
That is the whole trap with a "best Claude Code skills" search. The lists that rank are usually sorted by popularity or recency, which measure attention, not quality. A skill can have a thousand stars and still brick on contact.
"It installed" is not "it works"
Start with the most basic bar: does the thing do its job. The first benchmark for agent skills, SkillsBench, scored 47,150 public skills and landed on an average quality score of 6.2 out of 12 (SkillsBench, February 2026). Barely half marks, across tens of thousands of skills people are shipping and installing every day.
The researchers only kept the top quartile for their tests, the skills scoring 9 or above, because most of the rest were not worth benchmarking. When they used those curated skills, agent pass rates climbed by an average of 16 points. The lesson is not subtle. A small set of good skills beats a giant set of mediocre ones, and the giant set is what you get by default.
You have felt this. The skill that installs clean and then produces output a nervous intern would apologize for. The one whose README is more confident than the code under it. "It installed" is a checkbox. "It works" is a different thing that far fewer skills clear.
"It works" is not "someone checked it"
Now the part people skip. A skill that installs and works can still be carrying something you did not agree to.
A security audit of 22,511 public skills across four registries produced 140,963 security findings, and 13.4 percent of those skills held at least one critical-level issue, including exposed secrets, code injection, and malware distribution (Mobb.ai audit, via The New Stack, March 2026). Separately, Snyk's ToxicSkills research scanned a corpus of agent skills and found prompt injection sitting in 36 percent of them (Snyk ToxicSkills, February 2026). Those are two different studies measuring two different things, so keep them apart, but they point the same direction: a large share of what is out there was never checked by anyone before it reached you.
This is not a reason to panic or swear off skills. It is a reason to know what a skill does before you hand it access to your files, your network, and your keys. A skill runs with your permissions. "Trust me" is not a permission model.
How to find the best Claude Code skills that hold up
You can vet a skill yourself in about five minutes. Before you install, run it through a short gauntlet:
- Does it run twice? Not once, on the author's machine, in the demo. Twice, on yours, on your stack. Reliability is the floor.
- Does the output survive a second read? Generic boilerplate and vague filler dressed up as a skill is a quality problem, not a formatting one. Read what it produces before you trust what it produces.
- Who wrote it, and when did they last touch it? A repo whose last commit was in 2024 is not maintained, it is abandoned with good lighting. A skill that grades where your code came from can do this pass for you, but even a glance at the commit history helps.
- What does it touch? Files, network calls, environment variables, secrets. If a formatting skill wants your credentials, that is the tell.
- Does the description match the code? Prompt injection and hidden instructions live in the gap between what a skill says it does and what it does.
None of this is exotic. It is the same due diligence you would run on any dependency, applied to a category that has mostly been getting a pass. Our step-by-step install guides walk the setup side once a skill clears the vetting side.
What a certified catalog does instead
Running that gauntlet on every skill, by hand, forever, is not a plan. It is a second job. The point of a certified catalog is that the checking already happened before the skill listed.
For every skill in our certified catalog, that means 96 certification checks across structure, platform fit, and quality, plus a separate 7-dimension security scan that blocks any skill with a serious finding. Not merged into one number, not a marketing round-up. Ninety-six checks for whether it is built right and does its job, and a security scan on top of that. You can read exactly what each layer checks rather than take our word for it.
Skills are certified across Claude Code, Codex, OpenClaw, and Google Antigravity, so the vetting travels with the skill regardless of which tool you run it in. And because the catalog gets new certified skills every month, the useful number is not how many skills exist somewhere. It is how many were checked before they reached you.
Common misconceptions worth dropping
"More skills means a better catalog." Backwards. A million entries with no vetting is a bigger haystack, not a better one. The value is in what got filtered out.
"It is open source, so it is fine." Open source means you can read the code. It does not mean anyone did. Most of the audited skills that failed were sitting in public repos the whole time.
"The star count vouches for it." Stars measure popularity and age, not quality or safety. Plenty of the skills flagged in those audits were popular. Attention is not a review.
The takeaways
- The best Claude Code skills are not the most numerous or the most starred. They are the ones that run, work, and were checked, which is a much smaller set than any raw catalog suggests.
- "Installed," "works," and "someone checked it" are three separate bars. Most skills clear the first and quietly let you assume the other two.
- You can vet a skill yourself in five minutes, or start from a catalog where the checking is already done.
Start from the checked set. Browse the certified skill catalog and see what a skill looks like when someone did the vetting before you installed it.
Sources
- ESET AI threat trends report, via Help Net Security, July 8 2026. The count of public skills security researchers tracked grew from about 60,000 to nearly 900,000 between March and May 2026; 25,000-plus suspicious and 3,000-plus malicious.
- SkillsBench: Benchmarking How Well Agent Skills Work Across Diverse Tasks, February 2026. 47,150 public skills, average quality 6.2 of 12; curated top-quartile skills raised agent pass rates by an average of 16.2 points.
- Security audit of 22,511 public AI coding skills, Mobb.ai, via The New Stack, March 2026. 140,963 findings; 13.4 percent (534 skills) with at least one critical issue.
- Snyk ToxicSkills research, February 2026. Prompt injection detected in 36 percent of the agent-skills corpus scanned; 1,467 malicious payloads.