Now in early access, book a 30-minute demo →
← Back to blog Guide

The Agent Skills Open Standard - Specification, Adoption, and the Governance Gap

TL;DR
  • Agent Skills, the SKILL.md format Anthropic created for packaging agent capabilities, is now an open standard stewarded at agentskills.io and open to ecosystem contributions.
  • The specification is deliberately minimal: a folder, a SKILL.md file with two required frontmatter fields (name and description), and optional scripts, references, and assets.
  • Adoption is far wider than most security teams realize - 40+ clients including Claude Code, Cursor, GitHub Copilot, VS Code, OpenAI Codex, Gemini CLI, Goose, and data platforms like Databricks and Snowflake.
  • Portability is the point and the problem: one skill folder now runs across every major agent, so one malicious skill folder does too.
  • The spec has no signing, no attestation, no mandatory review, and its only permission control (allowed-tools) is experimental and varies by implementation - governance is explicitly left to the runtime and the org.
  • Anthropic's own guidance warns that malicious skills can introduce vulnerabilities or direct agents to exfiltrate data; the standard tells you what a skill is, not whether you should trust it.

In under a year, Agent Skills went from an Anthropic engineering blog post to an open standard with its own specification site, reference validator, and a client list that reads like a census of the agent ecosystem. The format is now stewarded at agentskills.io, developed in the open on GitHub, and supported by more than forty agent products - coding agents, IDEs, data platforms, infrastructure agents, even healthcare automation. If your organization runs AI agents at all, it almost certainly runs software that loads skills.

That is worth a security team's full attention, because the standard's greatest strength - a skill written once runs everywhere - is also the property that turns one malicious folder into an ecosystem-wide payload. This guide walks through what the specification actually defines, who has adopted it, where skills are heading, and the governance gap the standard deliberately leaves open. If you need the foundational concepts first, start with what are AI agent skills - a security primer.

What the standard defines

The specification is deliberately minimal, and Anthropic's engineering team is explicit that the simplicity is the point: a simple format is easier for organizations, developers, and end users to build on. A skill is a directory containing, at minimum, a SKILL.md file. That file opens with YAML frontmatter and continues with free-form markdown instructions. Everything else is optional: a scripts/ directory for executable code, references/ for documentation the agent reads on demand, assets/ for templates and data files.

my-skill/
├── SKILL.md          # Required: metadata + instructions
├── scripts/          # Optional: executable code
├── references/       # Optional: documentation
├── assets/           # Optional: templates, resources
└── ...               # Any additional files or directories

The frontmatter carries the skill's identity, and it is the layer every vetting and inventory decision keys off - which makes its constraints, and its gaps, security-relevant.

Frontmatter fieldRequiredWhat it doesWhat security should note
nameYesIdentifier, max 64 chars, lowercase alphanumerics and hyphens, must match the folder name.Names are unverified strings; nothing stops a lookalike of a popular skill.
descriptionYesMax 1024 chars; states what the skill does and when to use it. Loaded for every skill at startup.This text steers when agents activate the skill - it is attack surface, not just documentation.
licenseNoLicense name or pointer to a bundled license file.Informational only; no enforcement.
compatibilityNoFree text (max 500 chars) for environment needs: products, packages, network access.A skill declaring it needs network access is self-reported; nothing checks the claim.
metadataNoArbitrary key-value map for client-defined properties.Unstandardized; author and version live here by convention, unverified.
allowed-toolsNoExperimental space-separated list of pre-approved tools the skill may use.The spec's only permission mechanism, and support explicitly varies between implementations.

The body of SKILL.md has no format restrictions at all: whatever prose helps the agent do the task. The spec recommends keeping it under 500 lines and pushing detail into referenced files. A reference library, skills-ref, validates naming and frontmatter - it checks that a skill is well-formed, not that it is safe.

How agents load skills: progressive disclosure

Skills scale because agents load them in three stages. At startup, an agent reads only each skill's name and description - about 100 tokens per skill. When a task matches a description, the agent pulls the full SKILL.md body into context; the spec recommends keeping that under 5,000 tokens. Bundled scripts and reference files load or execute only when the task actually calls for them. Anthropic's engineering post makes the consequence explicit: because agents with filesystem access load resources on demand, the context a skill can bundle is effectively unbounded.

  • Discovery - name and description load for every installed skill at startup, so the agent knows what it could do.
  • Activation - when a task matches, the full SKILL.md instructions enter the agent's context.
  • Execution - the agent follows the instructions, running bundled scripts and reading referenced files as needed.

Two implications follow. First, skills split into what practitioners call static and dynamic: instruction-only skills that work purely through in-context guidance, and skills that bundle executable code the agent invokes. Anthropic recommends bundling code where determinism or efficiency matters - a script sorts a list better than tokens do. Second, and less comfortably: most of a skill's content is invisible until the moment it runs. A reviewer who reads only what loads at startup has reviewed roughly 100 tokens of a package that may contain thousands of lines of prose and code. Point-in-time review of the visible layer is not coverage, a problem we detail in the vetting and approval playbook for agent skills.

Who has adopted it: the ecosystem is the surface

The client showcase at agentskills.io lists more than forty products, and the spread matters more than the count. This is no longer a coding-assistant feature; skills now load in IDEs, terminals, data warehouses, CI systems, and cloud agent platforms.

CategorySkills-compatible products (selection)
Frontier-lab agentsClaude, Claude Code, OpenAI Codex, Gemini CLI, Mistral Vibe
IDEs and editorsCursor, VS Code, GitHub Copilot, JetBrains Junie, TRAE, Kiro, Zed-class editors
Open-source coding agentsOpenCode, OpenHands, Goose, Roo Code, Amp, Cline-class tools, pi, VT Code
Enterprise dev platformsFactory, Tabnine, Qodo, Ona, Superconductor, Workshop
Data and infra platformsDatabricks Genie Code, Snowflake Cortex Code, Pulumi Neo, Spring AI, Laravel Boost
Agent frameworks and runtimesLetta, fast-agent, nanobot, ZeroClaw, bub, Google AI Edge Gallery
Vertical agentsAgentman (healthcare revenue cycle), Vita (autonomous digital workers)

For a defender, three consequences fall out of this list. First, coverage math changed: a skills policy scoped to one agent product now covers a sliver of the surface, because the same folder loads everywhere. Second, blast radius changed: a compromised skill shared in a team channel can land in Cursor on one laptop, Claude Code on another, and a Databricks workspace in between. Third, discovery got harder: skills arrive through git clones, marketplace installs, and dotfile syncs across dozens of products with no common install registry. That is the same bottom-up dynamic we mapped in AI agents are the new shadow IT, now with a standard file format accelerating it.

Skills, MCP, and rules: three layers, one agent

Skills did not replace the other extension mechanisms; they completed a stack. Anthropic frames skills as complementary to MCP - MCP connects agents to external tools and data through a typed protocol, while skills teach the multi-step workflows that use those tools. Static rules files sit below both, setting always-on guidance.

LayerWhat it providesHow it loadsPrimary risk
Rules files (CLAUDE.md, .cursorrules, AGENTS.md)Always-on project or org conventions.Injected into every session.Config drift and hidden instructions in repo files.
Agent SkillsOn-demand procedural knowledge plus optional executable code.Progressive disclosure when a task matches.Instruction-layer prompt injection and unvetted code with agent permissions.
MCP serversTyped connections to external systems and data.Registered as tools the agent can call.Malicious or over-scoped servers; see the MCP security cluster.

The stack composes in the attacker's favor as well as the operator's. A skill does not need its own network tooling if the agent already holds an MCP server that can reach the target system: the skill's markdown just instructs the agent to use it. Security researchers describe this as MCP amplification - a compromised instruction layer orchestrating trusted tool connections, up to and including remote code execution. It is one more instance of the pattern in indirect prompt injection explained: the payload is prose, and the tools were already authorized.

The governance gap the standard ships with

Read the specification with a supply-chain lens and the most striking thing is what is absent. There is no signing. There is no attestation of who authored a skill or whether it changed since review. There is no lockfile pinning a skill's contents, no mandatory review gate, and no central registry with takedown authority. The one permission-shaped field, allowed-tools, is labeled experimental with support that varies by implementation - meaning the same skill can be constrained in one agent and unconstrained in another.

This is not an oversight; it is a design choice that kept the format simple enough to win adoption, and the ecosystem is candid about the consequences. Anthropic's engineering guidance warns plainly that malicious skills may introduce vulnerabilities in the environment where they run or direct the agent to exfiltrate data, and tells users to audit bundled files, dependencies, and any instructions that point the agent at external network connections. The ecosystem has already demonstrated the failure mode at scale: the ClawHavoc campaign seeded hundreds of credential harvesters through a skill marketplace, covered in the OpenClaw security crisis, and academic work has shown hidden payloads passing marketplace review in malicious agent skills.

So the honest reading of the standard is: it defines what a skill is, and it hands the trust problem to you. Every control that matters - inventory, vetting, least privilege, runtime enforcement, audit - lives outside the format, in the runtime and in the organization. The controls themselves are covered across this cluster: the OWASP Agentic Skills Top 10 for the risk taxonomy, least privilege for agent skills for scoping, and scan-time tooling like NVIDIA SkillSpector for static vetting. Our own contribution on the research side is the Skill Risk Index, where Anomity publishes scan results for the most popular public skills.

Where skills are heading: hosted agents and durable sessions

The standard's next chapter is not on the laptop. Anthropic's Managed Agents architecture describes long-horizon agent work running as hosted sessions, with the design decoupled into three replaceable parts: the session (an append-only, durably stored log of every event), the harness or brain (the stateless loop calling the model and routing tool calls), and the sandbox or hands (the execution environment, which can be a container, a phone, or anything that answers an execute call). Credentials never enter the sandbox: repositories are cloned with bundled auth during setup, and OAuth tokens live in a vault reached through a proxy, so prompt-injected code cannot steal what was never there.

Two lessons transfer directly to skills governance. First, the append-only session log is what auditability looks like when agents act autonomously: every event recorded, durable, and queryable after the fact - the property you need when a skill did something unexpected three days ago, and the same requirement we set out in the AI agent audit trail guide. Second, skills are becoming a fleet-plus-cloud problem: the same SKILL.md that loads in a developer's terminal today will load in hosted sandboxes tomorrow, and a governance program scoped to endpoints alone will develop the same blind spot endpoints were, one layer up.

What security teams should do with the standard

  1. Inventory first. Enumerate every installed skill across every skills-compatible product on every endpoint - not just one agent's skills directory. Start from how to build an AI agent inventory.
  2. Treat frontmatter as untrusted input. Names, descriptions, and metadata are unverified strings that steer agent behavior and vetting decisions alike. Lookalike names and activation-bait descriptions are cheap attacks.
  3. Vet both layers, then keep watching. Static review must read the prose as seriously as the code, and a green verdict expires on the next update. Pair scan-time vetting with continuous change detection per the vetting playbook.
  4. Do not lean on allowed-tools. It is experimental and enforcement varies by agent. Runtime least privilege has to come from the agent's own permission hooks and your policy layer, per least privilege for agent skills.
  5. Demand an audit trail. Whether the skill ran on a laptop or in a hosted session, you need a durable record of what was installed, what changed, and what each tool call did.

Where Anomity fits

Anomity's principle is the one this whole analysis lands on: you can't govern what you can't see. The standard guarantees skills will be everywhere; it guarantees nothing about your visibility into them. Anomity's lightweight, unprivileged Endpoint Sensor runs on Windows, macOS, and Linux and discovers eight AI artifact types - AI agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs - across every skills-compatible product on the endpoint, not one vendor's directory. For each skill it records source, owner, version, and reach.

The sensor sends metadata only over HTTPS - never skill source, never prompts - and redacts secrets on the endpoint. On agents that expose a hook, such as Claude Code's PreToolUse, Anomity evaluates each tool call a skill triggers and returns allow, deny, or log before it runs, which is exactly the enforcement point the experimental allowed-tools field cannot yet guarantee. Update drift surfaces as a change event, violations route to your SIEM, Slack, email, and Jira, and every skill added, removed, or modified lands in a queryable 90-day audit trail. Anomity is SOC 2 Type II and complements your EDR/XDR, DLP, network controls, and GRC rather than replacing them.

You can't govern what you can't see.The Anomity principle

The bottom line

Agent Skills won. A format Anthropic released as an open standard is now the shared capability layer of the agent ecosystem, from Cursor and Copilot to Snowflake and Pulumi, and it is heading into hosted agent platforms next. The specification is elegant and deliberately minimal - and that minimalism means every trust decision is yours: nothing in the format verifies authorship, pins contents, or enforces permissions consistently across runtimes. Standardization made skills portable for everyone, attackers included. Inventory what is installed, vet both the code and the prose, enforce at the agent's hooks, and keep a durable audit trail. To see every skill across your fleet, book a 30-minute demo.

Frequently asked questions

What is the Agent Skills open standard?

It is the standardized format for packaging AI agent capabilities as folders of instructions and resources. A skill is a directory containing a SKILL.md file - YAML frontmatter with at least a name and description, followed by markdown instructions - plus optional scripts, references, and assets. Anthropic developed the format, released it as an open standard, and it is now stewarded at agentskills.io with contributions from the broader ecosystem.

Which agents and tools support Agent Skills?

The list is long and growing: Claude and Claude Code, Cursor, GitHub Copilot, VS Code, OpenAI Codex, Gemini CLI, Goose, OpenCode, OpenHands, Roo Code, Trae, Kiro, Factory, Amp, Tabnine, Qodo, JetBrains Junie, Letta, Mistral Vibe, Spring AI, Laravel Boost, and platform agents like Databricks Genie Code, Snowflake Cortex Code, and Pulumi Neo, among others. For a security team the takeaway is that skills are not a Claude feature - they are an ecosystem-wide execution surface.

What does SKILL.md frontmatter contain?

Two required fields: name (max 64 characters, lowercase letters, numbers, and hyphens, matching the folder name) and description (max 1024 characters, describing what the skill does and when to use it). Optional fields are license, compatibility (environment requirements), metadata (arbitrary key-value pairs), and allowed-tools, an experimental space-separated list of pre-approved tools whose support varies between agent implementations.

What is progressive disclosure in Agent Skills?

It is the three-stage loading model that keeps skills cheap in context. At startup the agent loads only each skill's name and description (roughly 100 tokens). When a task matches, it reads the full SKILL.md body into context (the spec recommends under 5,000 tokens). Bundled scripts, references, and assets load only if the task needs them. This is why an agent can carry hundreds of installed skills - and why security review cannot stop at what is visible at startup.

How do Agent Skills differ from MCP servers?

MCP gives agents structured connections to external systems - a typed API contract for tools and data. Skills inject procedural knowledge and behavioral instructions the agent follows in natural language. Anthropic positions them as complements: MCP is the connector, skills teach the workflow that uses it. That combination cuts both ways, because a compromised skill can orchestrate the trusted MCP tools an agent already holds. See how MCP and skills interact in the top MCP servers guide.

What security controls does the Agent Skills specification include?

Almost none, deliberately. There is no package signing, no attestation of authorship, no lockfile, and no mandatory review step anywhere in the format. The only permission-shaped field, allowed-tools, is marked experimental and its enforcement varies by implementation. The compatibility field is free text. The standard defines what a skill is; deciding whether to trust one is explicitly the job of the runtime and the organization running it.

Are skills only an endpoint problem?

No, and that is the direction of travel. Anthropic's Managed Agents work moves long-horizon agent execution into hosted sessions where the harness, sandbox, and session log are decoupled and every event is durably recorded. Skills will increasingly run in cloud sandboxes as well as on laptops. The governance requirement is the same in both places: know which skills exist, what they can reach, and what they did - on the endpoint fleet today, and in hosted agent sessions as they arrive.

How does Anomity govern Agent Skills?

Skills are one of the eight AI artifact types Anomity's lightweight Endpoint Sensor discovers and inventories across Windows, macOS, and Linux, alongside agents, MCP servers, extensions, plugins, secrets, hooks, and CLIs. For each skill it records source, owner, version, and reach, sends metadata only (never source or prompts), and on agents that expose a hook it returns allow, deny, or log for each tool call before it runs. Changes land in a queryable 90-day audit trail and violations route to SIEM, Slack, email, and Jira.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok