Update #40: Agent Skill Security Issues
Skills are pre-made instructions that make AI work more repeatable. Great in theory but these instruction docs are already seeing widespread abuse by attackers who are hiding malicious instructions
In recent months there has been a proliferation of agent skills. I first heard about them around the middle of last year as a friend of mine had pivoted his development team to ‘skills driven development’ using Claude Code. Since then we’ve seen the likes of ‘skills hub’ in OpenClaw, which further expands the skills available to agents across a variety of use cases.
So, today we’re going to unpack what agent skills are, how they are used in Claude Code and OpenClaw, and then some of the serious security concerns that I’ve seen cropping up time and time again recently.
What is a skill?
Agent skills are essentially pre-packaged instruction documents that an agent can invoke (similarly to a tool) for a specific outcome. This allows them to immediately grasp how to do something, rather than reasoning about the task from first principles every time. This also makes working with AI on specific tasks repeatable.
To understand why we might want something like this I’ll use an example from this video. Let’s say we want our agent to fill in a PDF with our details. Getting the agent to the point where it has completed this task could look like something in the image below, where it tries to create a script to read the PDF, perhaps it fails the first time but works the second, then it starts over with a script to write to the PDF, and so on, and so forth.
You could be a lot more prescriptive in how it should approach the task so that it doesn’t take so many steps, but then you’ll find yourself writing very specific instructions every time you want your agent to do something. Enter Skills.
This is a list of PDF-related skills that Anthropic have created and released publicly for the various actions associated with exactly the task that we described earlier. These are all accessible to agents through a SKILL.md file, which will insert the various tasks the agent now has instructions for into its context, and when the agent finds itself needing to perform one of these tasks it will call the skill directly.
One important thing to note for later, there are the actual task-specific instruction documents and scripts which shows the commands being run, as well as the SKILL.md which is a markdown file which shows, at a glance, what this skill does and how it works.
Claude Code & OpenClaw
With an understanding of how skills work, let’s have a look at how people are using them. Firstly, claude code now comes with several skills installed by default, more can be turned on in the claude.ai dashboard, custom skills can be uploaded, and there are tons of skills coming from the community for a variety of use cases…more to come on that later.
OpenClaw (the viral AI personal assistant) also uses skills to expand it’s functionality, and this lives on Clawhub. These are both skills repository where community members can download, and importantly upload, their favourite skills. This is where the story takes a turn, and we start to look at the security behind skills.
Security Concerns
We’ve got a good understanding of what skills are, and why they are useful, so it’s time to look at the more sinister side of this. This stems from the fact that when you are installing an instruction document you are taking untrusted content and using it to control how your agent behaves…how could that possibly go wrong?
Usually when something like this crops up we get a period where it’s all sunshine’s and rainbows, people are behaving themselves and sharing their knowledge with each other innocently…the internet is temporarily a safe place. This is usually then followed by someone having the bright idea to weaponise this trust that people have built, and begin packaging malicious skills in the hopes that people download them. This is exactly what happened with MCP servers.
However with how rapidly everyone is now adopting agents like OpenClaw, this phase was skipped and we went straight to a proliferation of malicious skills cropping up, including the number 1 most downloaded skill! We are talking thousands of compromised agents, almost overnight. Let’s take a look at some of the stories cropping up.
This one is hilarious. Jamieson O’Reilly is back again (the guy who found that the entire MoltBook database was open to the public internet) and this time he wanted to prove that random people would install malicious skills. He created a skill called ‘What would Elon do?’ which would give you Elon-Musk-style critiques on your ideas!
The ‘visible’ skill in the SKILL.md file (what users will see and what they might check) was all good marketing speak. This is all that ClawHub shows you of the skill, when in fact these skills could be hiding invisible instructions in HTML, additional files which contain the malware, etc. In his case, this was a ‘rules/logic.md’ which wasn’t rendered in the web UI for this skill which is where the juicy stuff was happening.
Next he inflated the apparent popularity of the skill by git cloning the OpenClaw code base and finding that the ‘downloads’ counter lacked any sort of anti automation, authentication, rate limiting, or whatever…so you can just add fake downloads to your skill which he used to push his fake skill to the top of the leader boards. +1 for ‘entirely AI generated projects’.
Fortunately, Jamieson is an ethical hacker, not a real one, and so when people ran his tool it would call the rules/logic.md file which contained the real instructions, which would ping a remote server and then display ASCII art saying they’ve been pwned.
This one showed how you can include malicious HTML comments in the markdown file which agents read, which humans cannot see when rendered on clawhub.ai
At the time of this tweet this was the most downloaded skill! A ‘hyper’ popular ‘Twitter’ skill was in fact, you guessed it, a stager for malware targeting MacOS.
Crypto bros (as always)
Conclusions
Honestly, it feels to me like we’re going backwards in terms of security in this AI era. Decades of hard work, battle wounds, secure development practices, and secure habits are just falling away. Fundamentally, connecting an inherently vulnerable text-based system to an increasing amount of untrusted text is always always going to cause problems.
Just in the last few weeks we’ve seen this play out on the main stage several times, with several different viral technologies. I’m not sure if there is some sort of security amnesia happening, a genuine lack of understanding on how risky this new technology is, non-technical users just don’t know any of this, or if people are just choosing the productivity gains over their own security.
Whatever it is, we’ve lapsed big time in our security standards, and I’m unsure if this is just a teething issue with AI adoption or if it is foreshadowing of the AI future.
The OpenClaw skill repository is the one I'd highlight. We ran a basic audit last month and found skills claiming to do one thing while also reading environment variables they had no reason to touch.
The part that should concern people more: most users treat skills the same way they treated browser extensions pre-Chrome Web Store. Download, install, trust. The trust model is broken before anyone noticed there was a trust model to build.
Human-in-the-loop for skill installation is probably the minimum viable safeguard. Audit logs second.