An agent skill is a package that teaches an agent to do one thing well: a SKILL.md file of natural-language instructions, usually with bundled scripts the agent can execute. When a skill loads, its instructions enter the agent's context with the same standing as the user's own words, and its code runs with the agent's full authority on the endpoint. A malicious skill therefore needs no exploit - only an install. For background on the format, see what agent skills are.
Standardization turns this from a per-tool quirk into an ecosystem-scale risk. The open SKILL.md convention makes one skill portable across many agents, so a single malicious package can target a large installed base at once. The governance implications are covered in the open standard's rise.
How the attack works
A skill carries a dual payload. The prose half is instruction injection: text in SKILL.md that tells the agent to read a credentials file, weaken a check, or post data to a domain, which the agent obeys as trusted guidance. The code half is ordinary supply-chain execution: a bundled script that runs when the skill is set up or invoked. Either half is enough on its own.
This is why code scanning alone misses skills. A static scanner reads the scripts and finds nothing, because the malicious behavior lives in English sentences the agent will obey, not in a function the scanner recognizes. Researchers demonstrated this prose-hidden payload class in the USENIX 2026 hidden-payload work.
Attack scenarios
- Marketplace seeding at scale. An attacker publishes many plausible skills to a public registry. The ClawHavoc campaign seeded hundreds of credential-harvesting skills this way, using volume and useful-sounding names to win installs before review.
- Skilljacking. An attacker takes over an abandoned but still-installed skill, or ships a malicious update to a popular one, so the payload reaches an existing user base through the trusted update channel. The mechanics are detailed in skilljacking.
- Memory persistence. A skill's instructions tell the agent to write attacker guidance into memory or identity files (CLAUDE.md, AGENTS.md, saved memories). The skill can then be uninstalled while its behavior persists across future sessions, a form of context poisoning under malicious AI rules.
Related techniques
- Malicious MCP servers - the same trust problem in the tool layer rather than the instruction layer, under malicious MCP servers.
- Prompt injection - a skill is a durable, distributable injection payload rather than a one-shot one, per prompt injection.
- Unreviewed code execution - the bundled-script half is ordinary code execution risk.
Mitigations
- Inventory installed skills first. You cannot govern skills you cannot see. Know which skills are present on which endpoints, and their source, owner, and version.
- Vet before install, not after incident. Review both halves - prose and code - against a defined bar, and approve from a known-good source. Anomity publishes scans of popular public skills in the Skill Risk Index, and a repeatable process is in the vetting playbook.
- Scan for prose payloads, not just code. Use scanners built for the instruction layer, such as NVIDIA SkillSpector, and treat SKILL.md text as executable.
- Watch the update channel. Treat an update like a new install: skilljacking arrives as a version bump, so surface changed skills as events rather than trusting an already-approved name.
- Enforce at the tool-call boundary. Whatever the skill decides to do becomes a tool call - a file read, a shell command, a network request. A hook that evaluates each call against policy before it runs contains a skill that has already loaded.
How Anomity helps
Anomity's lightweight Endpoint Sensor discovers installed skills across Windows, macOS, and Linux and records each one's source, owner, version, and reach, turning an invisible instruction supply chain into an enumerable inventory. Skill updates surface as change events, so a malicious version bump or a skilljacked package shows up instead of arriving silently. On agents that expose a hook, such as Claude Code's PreToolUse, each tool call a skill triggers is allowed, denied, or logged before it runs, which is where the read-secrets-and-exfiltrate chain breaks. The sensor sends metadata only over HTTPS - never source code, never prompts - and routes violations to SIEM, Slack, email, and Jira, with a queryable 90-day audit trail.




