Malicious Coding Agent Skills and the Risk of Dynamic Context

This post documents a supply-chain risk in coding agents where malicious Claude Code skills (e.g., Clawsights) use dynamic-context shell commands (`!` preprocessing) to run commands such as `gh auth token` and exfiltrate credentials before the LLM can inspect the skill, effectively bypassing model-level prompt-injection defenses; the report demonstrates the technique, shows test behavior, and provides detection queries and mitigation recommendations (disable skill shell execution, review .claude/skills in repos and nested folders, require reviews, and monitor runtime telemetry).