The sorry state of skill distribution

Trail of Bits evaluated public skill marketplaces and associated scanners and found that simple, practical techniques (file truncation via large padding, .docx-based indirection, poisoned Python bytecode, and prompt injection framed as benign configuration) reliably bypass multiple scanners, enabling arbitrary code execution and data exfiltration; the report includes PoC artifacts, scanner outputs, and recommends using curated marketplaces, stricter packaging/format validation, and not outsourcing trust to automated scanners.