Agent Skills Security: Full Lifecycle Governance Framework and Threat Landscape

1. Four‑Stage Attack Surface

The paper Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis defines four lifecycle phases for Agent Skills—Creation, Distribution, Deployment, and Execution—each exposing distinct attack vectors.

1.1 Creation

Core risks: malicious logic injection, command confusion, hidden backdoors. The SKILL.md file and its bundled scripts have unrestricted control; an attacker can embed adversarial commands in a seemingly benign description (e.g., a PDF text‑extraction feature) that are never validated by static analysis because the interface contract is missing. This creates a “behavior gap” that static tools cannot detect.

Snyk’s ToxicSkills scan of 3,984 Agent Skills found 534 (13.4%) with at least one critical issue, including hard‑coded malicious scripts and remote‑code‑execution payloads introduced via pip install or curl | bash commands.

1.2 Distribution

Core risks: malicious Skill masquerading, supply‑chain poisoning, ranking manipulation. Attackers can register Typosquatted Skill names that closely resemble popular tools (e.g., solana‑wallet‑tracker, youtube‑summarize‑pro) and publish convincing documentation, tricking users into installing compromised packages. Automated bots inflate download counts and fake reviews to push malicious Skills to the top of search results (as observed by Mitiga Labs).

Repository hijacking is also reported: compromised accounts gain control of legitimate Skill repositories, allowing post‑installation content changes that inherit the original approval permissions.

1.3 Deployment

Core risks: consent gap. Users approve a Skill based on its description, but the granted permissions persist across sessions, are broad, and cannot be revoked when the Skill’s content changes because approval is tied to the Skill identity rather than a versioned hash.

Three structural defects are highlighted:

Persistent trust model: a single approval grants lasting rights, enabling delayed malicious activation.

Unbounded permission scope: the approved Skill can perform any future operation, regardless of relevance.

Irreversible content changes: after installation, the Skill’s code can be altered without user notice, retaining the original trust relationship.

1.4 Execution

Core risks: execution with user privileges, unrestricted file‑system and network access, and prompt injection. Because the Skill’s command body is processed as operator‑level context, any adversarial command embedded in the Skill or in supplemental files is executed with the same privileges.

Advanced attacks use multi‑stage payloads: a Stage‑1 script downloads a Stage‑2 payload from attacker‑controlled infrastructure, culminating in remote code execution.

2. Three Structural Security Defects

The analysis identifies three architecture‑level flaws that are not implementation bugs but inherent to the Agent Skills framework:

Missing instruction boundary: natural‑language instructions and executable scripts coexist in the same file without enforced isolation, allowing malicious code to be hidden in seemingly harmless instructions.

Single‑approval persistent trust: once a Skill is approved, it retains unrestricted access indefinitely, enabling delayed attacks.

Lack of market security review: the ecosystem relies on superficial metrics (download count, star rating) that can be forged, providing no systematic code audit or sandbox testing.

3. Typical Security Incidents

In early January 2026, a coordinated supply‑chain attack—dubbed Operation ClawHavoc —compromised over 1,184 Skills (≈20% of the market). Koi Security’s audit of 2,632 Skills found 341 malicious ones (12.9%); 335 of these shared a common C2 IP (91.92.242.30) and were linked to the ClawHavoc campaign.

Notable malware families include Atomic Stealer (AMOS) , which stole browser‑saved passwords, cookies, and cryptocurrency wallet seeds (MetaMask, Phantom) from macOS, Windows, and Linux systems. AMOS leveraged the persistent trust model to download additional payloads after initial installation.

Enterprises that installed compromised Skills from public repositories suffered data breaches, remote code execution, and system instability, prompting the community to accelerate the development of security auditing platforms such as ClawSecure .

4. OWASP Agentic Skills Top‑10

Based on extensive vulnerability research, the following ten categories form an OWASP‑style top‑10 for Agent Skills:

Insecure instructions and decision rules.

Undefined permission boundaries.

Lack of source verification and code signing.

No logging or audit‑able execution path.

Overly broad tool permissions (allowed‑tools).

Unsafe script execution environment.

Supply‑chain dependency contamination.

Improper handling of sensitive data (hard‑coded API keys).

Abuse of persistent trust model.

Missing runtime behavior monitoring.

5. Security Toolchain for Skills

Several emerging tools aim to detect and mitigate malicious Skills:

ESET AI Skills Checker (released Mar 2026): analyzes Skill behavior using the Gemini 3 Flash model, having inspected over 3,016 OpenClaw Skills, many of which exhibit malicious traits.

VirusTotal Code Insight : now supports ZIP‑packed Skills and performs LLM‑driven semantic analysis.

SkillGuard (Akto) : enterprise‑grade platform that discovers installed Skills on endpoints.

SafeSkill (Micro‑step Online) : provides one‑stop AI Agent security, including sandbox analysis and Skill detection.

SkillScan : academic research tool combining static analysis with LLM‑based semantic classification, achieving 86.7% precision and 82.5% recall.

6. Runtime and Zero‑Trust Principles

Least‑privilege principle: Skills should be granted only the minimal capabilities required for their declared task (e.g., read ~/Documents/ instead of full filesystem access). The allowed‑tools field must be used to restrict tool usage.

Sandboxed execution: Run Skills inside isolated VMs or Docker containers, limiting filesystem and network access. Cato Networks recommends executing Skills in a sandbox similar to a browser’s page sandbox.

Dynamic policy engine: Adjust permissions at runtime based on task context and require explicit user confirmation for high‑risk operations.

Core security guidelines: only install Skills from trusted sources, avoid copy‑and‑paste of commands like curl | bash, and treat any such installation with high suspicion.

7. Future Security Architecture Directions

Capability‑Based Permission Model: move from an all‑or‑nothing trust model to fine‑grained capabilities (e.g., declare “read ~/Documents/” instead of “read all”). Runtime enforcement would verify declared capabilities against actual actions.

Standardized sandbox execution: isolate Skill execution in a sandbox analogous to browser sandboxing, exposing only whitelisted capabilities.

Content signing and integrity verification: adopt signing mechanisms similar to npm or Debian GPG to ensure Skills are not tampered with during distribution.

Runtime behavior monitoring: continuously monitor Skill execution for anomalous patterns using AI‑driven analysis, complementing static code checks.

These measures aim to harden the Agent Skills ecosystem against supply‑chain attacks, persistent trust abuse, and other emerging threats.