Now in early access, book a 30-minute demo →
Top riskcritical

Malicious Agent Skills

A skill is instructions plus code that loads into an agent and runs with its full authority. The open SKILL.md standard made one malicious skill portable across the entire agent ecosystem.

Attackerpublishes skill Skill marketplacepublic registry AI agentloads + runs skill Secrets + sourceenv vars, keys, code Attacker endpointexfiltration Tool-call hookallow / deny / log publishes skill developer installs reads sends data deny before run
A poisoned skill is published to a marketplace, installed, and loaded into the agent - where its instructions and bundled code reach secrets and exfiltrate them.

An agent skill is a package that teaches an agent to do one thing well: a SKILL.md file of natural-language instructions, usually with bundled scripts the agent can execute. When a skill loads, its instructions enter the agent's context with the same standing as the user's own words, and its code runs with the agent's full authority on the endpoint. A malicious skill therefore needs no exploit - only an install. For background on the format, see what agent skills are.

Standardization turns this from a per-tool quirk into an ecosystem-scale risk. The open SKILL.md convention makes one skill portable across many agents, so a single malicious package can target a large installed base at once. The governance implications are covered in the open standard's rise.

How the attack works

A skill carries a dual payload. The prose half is instruction injection: text in SKILL.md that tells the agent to read a credentials file, weaken a check, or post data to a domain, which the agent obeys as trusted guidance. The code half is ordinary supply-chain execution: a bundled script that runs when the skill is set up or invoked. Either half is enough on its own.

This is why code scanning alone misses skills. A static scanner reads the scripts and finds nothing, because the malicious behavior lives in English sentences the agent will obey, not in a function the scanner recognizes. Researchers demonstrated this prose-hidden payload class in the USENIX 2026 hidden-payload work.

Attack scenarios

Mitigations

  1. Inventory installed skills first. You cannot govern skills you cannot see. Know which skills are present on which endpoints, and their source, owner, and version.
  2. Vet before install, not after incident. Review both halves - prose and code - against a defined bar, and approve from a known-good source. Anomity publishes scans of popular public skills in the Skill Risk Index, and a repeatable process is in the vetting playbook.
  3. Scan for prose payloads, not just code. Use scanners built for the instruction layer, such as NVIDIA SkillSpector, and treat SKILL.md text as executable.
  4. Watch the update channel. Treat an update like a new install: skilljacking arrives as a version bump, so surface changed skills as events rather than trusting an already-approved name.
  5. Enforce at the tool-call boundary. Whatever the skill decides to do becomes a tool call - a file read, a shell command, a network request. A hook that evaluates each call against policy before it runs contains a skill that has already loaded.

How Anomity helps

Anomity's lightweight Endpoint Sensor discovers installed skills across Windows, macOS, and Linux and records each one's source, owner, version, and reach, turning an invisible instruction supply chain into an enumerable inventory. Skill updates surface as change events, so a malicious version bump or a skilljacked package shows up instead of arriving silently. On agents that expose a hook, such as Claude Code's PreToolUse, each tool call a skill triggers is allowed, denied, or logged before it runs, which is where the read-secrets-and-exfiltrate chain breaks. The sensor sends metadata only over HTTPS - never source code, never prompts - and routes violations to SIEM, Slack, email, and Jira, with a queryable 90-day audit trail.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok